Security Updates and Reflection for the Web or Reflection Security Gateway
Technical Note 1704
Last Reviewed 17-Oct-2014
Applies To
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions)
Reflection Security Gateway 2014
Reflection Security Gateway 2011
Summary

This technical note describes security issues related to Reflection for the Web or Reflection Security Gateway. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.

Other Useful Resources

Java and Reflection for the Web or Reflection Security Gateway

For Reflection for the Web, the terminal emulation and file transfer components are typically deployed as applets in a web browser, and require a Java browser plug-in. Two applets, the Login applet and Links List applet, are used to authenticate users and deploy sessions to authorized users.

The terminal emulation and file transfer components can optionally be deployed as desktop applications rather than as applets. This feature is optional and requires customization.

The terminal emulation and file transfer components can optionally be deployed using Java Web Start (JNLP).

The Management Server, Security Proxy Server, Metering Server, and ID Management Server are Java server components that can be installed with a private version of Java, or can be configured to use a shared version of Java. The privately installed JRE is regularly updated with hotfixes and service packs. If you use a shared version of Java, you need to manage updates yourself.

For Reflection Security Gateway, two applets, the Login applet and Links List applet, are used to authenticate users and deploy sessions to authorized users.

The Management Server, Security Proxy Server, Metering Server and ID Management Server are Java server components that can be installed with a private version of Java, or can be configured to use a shared version of Java. The privately installed JRE is regularly updated with hotfixes and service packs. If you use a shared version of Java, you need to manage updates yourself.

For more information about Java and Attachmate Products, see Technical Note 2600.

Security Alerts and Advisories

The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.

Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.

IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.

Alert
SSL 3.0 'POODLE' Vulnerability (CVE-2014-3566)
Date Posted
October 2014
Summary
A vulnerability in the SSL 3.0 protocol that makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-oracle attack (“POODLE”).
Product Status
Reflection for the Web and Reflection Security Gateway products are vulnerable. We are investigating workarounds and fixes. This alert will be updated soon.
Additional Information
For vulnerability details, see the National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

Alert
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160
Date Posted
April 2014
Summary
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
Product Status
Reflection for the Web and Reflection Security Gateway are not affected by this issue.
Additional Information
For details and the latest information on mitigations, see the following:
US-CERT Technical Alert:
https://www.us-cert.gov/ncas/alerts/TA14-098A
CERT-CC Vulnerability Note VU#720951:
http://www.kb.cert.org/vuls/id/720951
National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160.

Alert
Vulnerability Summary for CVE-2013-1571
Date Posted
October 2013
Summary
Javadoc HTML pages that were created by the Javadoc Tool included with Java 7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier, JavaFX 2.2.21 and earlier contain a frame injection vulnerability that could allow an attacker to replace a Javadoc web page frame with a malicious page.
Product Status
To mitigate the vulnerability you can:

- Configure the Reflection server to use https only (prohibiting http connections).
- Install the ECL API docs locally, rather than serving them from a web server.

Additional Information
For details, see the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1571

CERT Coordination Center (CERT/CC) Vulnerability Note VU#225657: 
http://www.kb.cert.org/vuls/id/225657

Oracle's Java API Documentation Updater Tool:
http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html 

Alert
Multiple Oracle Java Vulnerabilities
Summary
Multiple security issues have been addressed in the latest Oracle Java update. We recommend that you keep current with Java releases. 
Date Posted and Version Affected
October 2013 – Reflection for the Web 2014 and Reflection Security Gateway 2014 install Java 7 Update 25.
Date Posted and Version Affected
March 2013 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 24 Build 584 installs Java 7 Update 15.
Date Posted and Version Affected
February 2013 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 23 Build 581 installs Java 6 Update 39.
Date Posted and Version Affected
September 2012 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 16 Build 562 installs Java 6 Update 35.
Date Posted and Version Affected
June 2012 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 13 Build 549 installs Java 6 Update 33.
Date Posted and Version Affected
March 2012 – Reflection for the Web 2011 and Reflection Security Gateway 2011 Hotfix 9 Build 540 installs Java 6 Update 31.
Additional Information
For details about the vulnerabilities fixed by Oracle, see the Oracle web site.

For Java 7 updates:
http://www.oracle.com/technetwork/java/javase/7u-relnotes-515228.html

For Java 6 updates:
http://www.oracle.com/technetwork/java/javase/releasenotes-136954.html

Alert
Multiple Apache Tomcat Vulnerabilities
Summary
Multiple Tomcat security issues have been addressed in the latest Tomcat release.
Date Posted and Version Affected
October 2013 – Reflection for the Web 2014 and Reflection Security Gateway 2014 install Tomcat 6.0.36.

Note that the security issues fixed in Tomcat 6.0.37 do not apply to Reflection for the Web 2014 and Reflection Security Gateway 2014.

Date Posted and Version Affected
February 2012 – Reflection for the Web 2011 R1 SP1 and Reflection Security Gateway 2011 R1 SP1 install Tomcat 6.0.35.
Date Posted and Version Affected
June 2011 – Reflection for the Web 2011 R1 and Reflection Security Gateway 2011 R1 install Tomcat 6.0.32.
Additional Information
For details about the vulnerabilities in Tomcat, see the Apache web site at http://tomcat.apache.org/security-6.html.

Alert
Vulnerability Summary for CVE-2013-0422
Date Posted
January 2013
Summary
Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected.

According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications.

Product Status
Reflection for the Web is not subject to this vulnerability, however user and administrator web pages must be accessed from a browser with the Java plug-in enabled. Also, if you've configured the non-default option of having sessions start using Java Web Start (JNLP), user browsers must have JNLP enabled to launch these sessions. It is the Java plug-in and Web Start that can be exploited, not Reflection for the Web. To minimize the risk described in this vulnerability on these systems, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability.

If you have upgraded to Java 7 Update 11, see Technical Note
2655 for information about the prompt, "Do you want to run this application?"
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.

Alert
Multiple Oracle JRE Vulnerabilities
Summary
Multiple security issues have been addressed in the latest Oracle Java Update. Users running Reflection for the Web clients use the Java Runtime Environment and browser plug-in that is installed on their machine. To resolve the issues addressed by this Oracle Java security update, you should update the JRE on user machines to Java 6 Update 29 or higher
Date Posted and Version Affected
December 2011 – JRE vulnerabilities have been addressed in Reflection for the Web 2011 R1 Build 11.0[.nnn].527, installing Java Update 29; we recommend that you upgrade to Reflection for the Web 2011 R1 SP1 or higher.
Date Posted and Version Affected
December 2011 – JRE vulnerabilities have been addressed in Reflection for the Web 2011 R1 Build 11.0[.nnn].500, installing Java Update 26; we recommend that you upgrade to Reflection for the Web 2011 R1 SP1 or higher.

JRE vulnerabilities have been addressed in Reflection for the Web 2008 R3 Build 10.2[.nnn].527, updating the version of Java included in the automated installers to Java 6 Update 26; we recommend that you upgrade to Reflection for the Web 2011 R1 SP1 or higher..

Additional Information
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table.

Alert
Floating Point Number Vulnerability CVE-2010-4476
Date Posted
November 2011
Summary
Oracle Security Alert: "This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks (that is, it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability."
Product Status
Reflection for the Web 2008 R3 (10.2[.nnn].526 or earlier Reflection for the Web 2008 versions) includes a Java version that is vulnerable to this issue. To resolve the issue, upgrade to Reflection for the Web 2008 R3 Build 527 (10.2[.nnn].527 or higher) or Reflection for the Web 2011. If you installed Reflection for the Web manually, then you should upgrade the Java version to 6 Update 24 or higher.

Users running Reflection for the Web clients use the Java Runtime Environment and browser plug-in that is installed on their machine.
To resolve the issue, users must update the JRE on their machine to Java 6 Update 24 or higher.
Additional Information
For details see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html, and the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476.

Alert
Cross-site Scripting Vulnerability
Date Posted
October 2010
Summary
Certain versions of Reflection for the Web (Reflection for the Web 2008 version R2 (builds 10.1[.nnn].569 and earlier), Reflection for the Web 2008 R1, Reflection for the Web 9.6 and earlier) have a non-persistent cross-site scripting vulnerability, whereby malformed input can be reflected back to the user and executed as script within the user’s web browser and within the security context of the user. The attacker would need to induce the user to voluntarily interact with the attack mechanism. The potential impact would depend on the configuration of the victim’s browser and system.
Product Status
Reflection for the Web 2008 R2 (builds 10.1[.nnn].570 or higher) or higher versions are not affected.

Reflection for the Web 2008 version R2 (builds 10.1[.nnn],569 and earlier), Reflection for the Web 2008 R1, and Reflection for the Web 9.6 and earlier are affected.

To determine which version of Reflection for the Web you are running, log in to the Administrative WebStation, click Resources, and then click About Reflection for the Web.

We recommend upgrading to the current version.

Alert
Vulnerability Advisory CPNI-957037
Date Posted
October 2010 - Modified
October 2008

Summary
A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the user’s SSH connection.
Product Status
Beginning in Reflection for the Web 2008 R3, counter mode cipher support is available. For more information about how this vulnerability affects Attachmate products, see Technical Note 2398.
Additional Information
For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563.

Alert
US-CERT Vulnerability Note VU #845620
Date Posted
September 5, 2006
Summary
Multiple RSA implementations fail to properly handle signatures.
Product Status
Attachmate has determined that the usage of the RSA digital signature algorithm in Reflection for the Web is not subject to this vulnerability.
Additional Information
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620.

Alert
US-CERT Vulnerability Note VU#680620
Date Posted
July 14, 2005
Summary
Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine.
Product Status
Reflection for the Web does not use zlib and is not subject to this vulnerability.
Additional Information
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620.

Alert
Multiple iDEFENSE Security Advisories/US-CERT Vulnerability Note VU#800829
Date Posted
July 7, 2005
Summary
Multiple vendor telnet client information disclosure vulnerabilities.
Product Status
Reflection for the Web Telnet clients are not vulnerable to these issues as they return limited terminal information in response to the NEW_ENVIRONMENT command and use dynamically-sized buffering.
Additional Information
For details about these vulnerabilities, see the iDefense or US-Cert articles listed below.
iDefense: http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities
US-CERT: http://www.kb.cert.org/vuls/id/800829

Alert
Announcement of Successful Cryptanalytic Attack on SHA-1
Summary
Three Chinese cryptanalysts from Shandong University have recently documented a successful cryptanalytic attack on the SHA-1 algorithm.
Product Status
Reflection products primarily use SHA-1 to create HMACs (Keyed Hashing for Message Authentication), for verification of message integrity. According to Schneier, because hash collisions are not a prominent concern, this use of SHA-1 is not affected by the cryptanalytic attack. (For further details, read the blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.)
In next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms.

Additional Information
Bruce Schneier, the author of "Applied Cryptography," discusses this announcement on his blog, Schneier on Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html.

Alert
CERT Advisory CA-2003-26
Summary
Multiple Vulnerabilities in SSL/TLS Implementations.
Product Status
Attachmate has inspected Reflection for the Web and determined that it is not vulnerable to the issues addressed in this alert.
Additional Information
For details, see http://www.cert.org/advisories/CA-2003-26.html.

Alert
CERT Advisory CA-2002-36
Summary
Vulnerabilities in SSH2 Implementations from Multiple Vendors.
Product Status
Attachmate has tested Reflection for the Web with the provided test suite and found that it is not vulnerable to the SSH2 connection initialization, key exchange, and negotiation phase attacks.
Additional Information
For details, see http://www.cert.org/advisories/CA-2002-36.html.

Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Related Technical Notes
1890 Reporting a Potential Security Vulnerability to Attachmate
2200 Security and Your Operating Environment
2398 Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recovery Attack Against SSH
2400 Attachmate Products with FIPS 140-2 Validated Crypto Modules
2600 Java and Attachmate Products
2655 Reflection for the Web and Java 7 Update 11 or Higher

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.