|
|
|
Security Updates and Reflection PKI Services Manager
Technical Note 2560
Last Reviewed 29-Jan-2013
Applies To
Reflection PKI Services Manager version 1.0 or higher
Summary
Technical Note 2560
Last Reviewed 29-Jan-2013
Applies To
Reflection PKI Services Manager version 1.0 or higher
Summary
This technical note describes security issues related to Reflection PKI Services Manager. If you rely on the security features of this module, you should consult this technical note on a regular basis for any updated information regarding these features.
Note: Reflection PKI Services Manager is available as an optional component of the following products:
Reflection X 2011
Reflection Suite for X 2011
Reflection for Secure IT Server for Windows
Reflection for Secure IT Client and Server for UNIX
Reflection Suite for X 2011
Reflection for Secure IT Server for Windows
Reflection for Secure IT Client and Server for UNIX
Other Useful Resources
- Operating system, host, and network effects on overall security: Technical Note 2200.
- Report a potential security vulnerability in an Attachmate product to Attachmate: Technical Note 1890.
- Check on the product support lifecycle status of your Attachmate software: http://support.attachmate.com/programs/lifecycle/.
- Review security updates for other Attachmate products: http://support.attachmate.com/security/.
- Information about Attachmate products and FIPS 140-2: Technical Note 2400.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.
| Alert |
Vulnerability Summary for CVE-2013-0422 |
| Date Posted |
January 2013 |
| Summary |
Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected. According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications. |
| Product Status |
Reflection PKI Services Manager is not subject to this vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html. |
| Alert |
Multiple Oracle JRE Vulnerabilities |
| Date Posted |
November 2012 |
| Summary |
Multiple Oracle JRE issues have been addressed in Oracle JRE 1.7U5. |
| Product Status |
Reflection PKI Services Manager 1.2 Service Pack 1 installs Version 7 Update 5 of the Java Runtime Environment (JRE), which addresses several potential security vulnerabilities. |
| Additional Information |
Oracle lists the security vulnerabilities addressed by Oracle advisories (updates); see the mapping at: http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html |
| Alert |
OpenSSL ASN1 BIO Denial of Service Vulnerability CVE-2012-2110 |
| Date Posted |
May 2012 |
| Summary |
An ASN.1 input function does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption), via crafted DER data, as demonstrated by an X.509 certificate. |
| Product Status |
This issue does not affect Reflection PKI Services Manager. |
| Additional Information |
For details, see the National Vulnerability Database site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2110. |
| Alert |
Multiple Oracle JRE Vulnerabilities |
| Date Posted |
November 2011 |
| Summary |
Multiple Oracle JRE issues have been addressed in Oracle JRE 1.6U26. |
| Product Status |
Reflection PKI Services Manager 1.2 Hotfix 1 or higher installs Version 6 Update 26 of the Java Runtime Environment (JRE), which addresses several potential security vulnerabilities. To obtain a hotfix, contact Attachmate Technical Support, http://support.attachmate.com/contact/. |
| Additional Information |
For details about the vulnerabilities that affect Reflection PKI Services Manager, see the following vulnerabilities at the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0872 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0867 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0865. |
| Alert |
Vulnerability Summary for CVE-2010-4476 |
| Date Posted |
June 2011 |
| Summary |
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. |
| Product Status |
Reflection PKI Services Manager 1.2 installs Version 6 Update 24 of the Java Runtime Environment (JRE), which addresses this potential security vulnerability. |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476. |
| Alert |
Vulnerability Summary for CVE-2010-3190 |
| Date Posted |
June 2011 |
| Summary |
Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability." |
| Product Status |
In Reflection PKI Services Manager 1.2, the Microsoft Redistributable Library files for the untrusted search path vulnerability have been updated, and a related untrusted search path vulnerability in the Windows module has been fixed. |
| Additional Information |
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3190. |
|
|
|
©2013 Attachmate Corporation. All Rights Reserved. | |
 | |
