Security Updates and Reflection PKI Services Manager
Technical Note 2560
Last Reviewed 09-Apr-2014
Applies To
Reflection PKI Services Manager version 1.0 or higher
Summary

This technical note describes security issues related to Reflection PKI Services Manager. If you rely on the security features of this module, you should consult this technical note on a regular basis for any updated information regarding these features.

Note: Reflection PKI Services Manager is available as an optional component of many Attachmate products. For a list of those products, see Technical Note 2716.

Other Useful Resources

Java and Reflection PKI Services Manager

This is an optional component of many Attachmate products. It can be used with the Reflection for Secure IT Server and Client for UNIX, Reflection for Secure IT Server for Windows, Reflection for Secure IT Web Edition, and Reflection X Advantage.

Reflection PKI Services Manager installs a private JRE that you can upgrade. Refer to the product documentation (http://docs.attachmate.com/reflection/pki/1.3/html/pkid_change_jre.htm) for details on how to upgrade the JRE. This component falls into the Java Server usage pattern. For more information, see Technical Note 2600.

Security Alerts and Advisories

The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.

Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.

IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.

Alert
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160
Date Posted
April 2014
Summary
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
Product Status
Reflection PKI Services Manager is not affected by this issue.
Additional Information
For details and the latest information on mitigations, see the following:
US-CERT Technical Alert:
https://www.us-cert.gov/ncas/alerts/TA14-098A
CERT-CC Vulnerability Note VU#720951:
http://www.kb.cert.org/vuls/id/720951
National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160.

Alert
RSA Security Advisory: ESA-2013-068 Crypto-J Default DRBG May Be Compromised
Date Posted
March 2014 – Modified
January 2014

Summary
RSA strongly recommends that customers discontinue use of the default Dual EC DRBG (deterministic random bit generator) and move to a different DRBG.
Product Status
Reflection PKI Services Manager 1.2 SP2 and 1.3 install version 6.1 of RSA’s Crypto-J library, which is subject to this issue. This issue is resolved beginning in Reflection PKI Services Manager 1.3 Hotfix 1 (1.3.0.41). To obtain this hotfix, contact Attachmate Technical Support.  

Earlier Reflection PKI Services Manager versions are
not subject to this vulnerability.
Additional Information
If you wish to change the default pseudo-random number generator (PRNG) used, you can add the following line to the java.security file:
com.rsa.crypto.default.random=HMACDRBG256

On Windows operating systems, the java.security file is located in C:\Program Files\Common Files\Attachmate\JRE\1.7.0_25\lib.

On UNIX/Linux operating systems, this file is located in /opt/attachmate/pkid/_java/jre/lib.

If you have installed and configured your own Java JVM or JDK, the java.security file will be located in the %JAVA_HOME%/jre/lib folder of your install.

For more information about this alert, see
http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf.

Alert
Multiple Oracle JRE Vulnerabilities
Summary
Multiple Oracle JRE issues have been addressed in the latest Oracle Java update. We recommend that you update the Java Runtime Environment (JRE) for Reflection PKI Services Manager.
Date Posted and Version Affected
March 2014 – Reflection PKI Service Manager 1.3 Hotfix 1 installs Version 7 Update 51 of the JRE. To obtain this hotfix, contact Attachmate Technical Support.
Date Posted and Version Affected
October 2013 – Reflection PKI Services Manager 1.3 installs Version 7 Update 25 of the JRE.
Date Posted and Version Affected
August 2013 – Reflection PKI Services Manager 1.2 Service Pack 2 installs Version 7 Update 25 of the JRE.
Date Posted and Version Affected
November 2012 – Reflection PKI Services Manager 1.2 Service Pack 1 installs Version 7 Update 5 of the JRE.
Additional Information
Oracle lists the security vulnerabilities addressed by Oracle advisories (updates); see the mapping at http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html.

Alert
Vulnerability Summary for CVE-2013-0422
Date Posted
January 2013
Summary
Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected.

According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications.

Product Status
Reflection PKI Services Manager is not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.

Alert
OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110
Date Posted
May 2012
Summary
An ASN.1 input function does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption), via crafted DER data, as demonstrated by an X.509 certificate.
Product Status
This issue does not affect Reflection PKI Services Manager.
Additional Information
For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110.

Alert
Multiple Oracle JRE Vulnerabilities
Date Posted
November 2011
Summary
Multiple Oracle JRE issues have been addressed in Oracle JRE 1.6U26.
Product Status
Reflection PKI Services Manager 1.2 Hotfix 1 or higher installs Version 6 Update 26 of the Java Runtime Environment (JRE), which addresses several potential security vulnerabilities. Upgrade to the latest Reflection PKI Services Manager version.
Additional Information
For details about the vulnerabilities that affect Reflection PKI Services Manager, see the following vulnerabilities at the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0872
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0867
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0865.

Alert
Vulnerability Summary for CVE-2010-4476
Date Posted
June 2011
Summary
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
Product Status
Reflection PKI Services Manager 1.2 installs Version 6 Update 24 of the Java Runtime Environment (JRE), which addresses this potential security vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476.

Alert
Vulnerability Summary for CVE-2010-3190
Date Posted
June 2011
Summary
Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability."
Product Status
In Reflection PKI Services Manager 1.2, the Microsoft Redistributable Library files for the untrusted search path vulnerability have been updated, and a related untrusted search path vulnerability in the Windows module has been fixed.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3190.

Related Technical Notes
1890 Reporting a Potential Security Vulnerability to Attachmate
2200 Security and Your Operating Environment
2400 Attachmate Products with FIPS 140-2 Validated Crypto Modules
2600 Java and Attachmate Products

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.