Security Updates and Verastream
Technical Note 2700
Last Reviewed 17-Oct-2014
Applies To
Verastream Host Integrator
Verastream Process Designer
Verastream Bridge Integrator
Verastream SDK for Unisys and Airlines version 5.0 or higher
Summary

This technical note describes security issues related to the Verastream products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.

Other Useful Resources

Java and Verastream

Verastream products use Java in the following ways:

  • Host Integrator – The Session Server, Management Server, Web Server, Log Manager, and Administrative Console all use a privately installed JDK. This privately installed JDK is updated when the Verastream product releases; this may occur with a hotfix, service pack, or full release.
  • Bridge Integrator – The Bridge Designer, Transaction Studio, Requestor Clients, and Trace Player all use the shared Java JDK installed by you, and JDK updates need to be managed by you. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.
  • Process Designer – The Process Server and Process Design Studio use a privately installed JDK. This privately installed JDK is updated when the Verastream product releases; this may occur with a hotfix, service pack, or full release.

Note: For Verastream products run on AIX and Linux on System z, Verastream uses the Java version that is on the system, and Java updates need to be managed by you. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment.

For more information about Java and Attachmate products, see Technical Note 2600.

Security Alerts and Advisories

The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.

Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.

IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.

Alert
SSL 3.0 'POODLE' Vulnerability (CVE-2014-3566)
Date Posted
October 2014
Summary
A vulnerability in the SSL 3.0 protocol that makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-oracle attack (“POODLE”).
Product Status
Verastream Host Integrator (VHI) and Bridge Integrator (VBI) may be vulnerable. We are researching this vulnerability, and this alert will be updated soon.

Verastream Process Designer (VPD) and Terminal Client (VTC)
are not vulnerable.
Additional Information
For vulnerability details, see the National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

Alert
VPD Remote Code Execution Vulnerability CVE-2014-0607
Date Posted
July 2014
Summary
By sending a specially crafted request to a web service, it is possible to upload an arbitrary file on the target server, enabling the attacker to execute arbitrary code on the server.
Product Status
This issue affects all versions of Verastream Process Designer (VPD) version R6 SP1 or earlier.

This
issue is resolved beginning in Verastream Process Designer R6 SP1 Hotfix 1 (build 1010). Maintained customers can contact Attachmate Technical Support to obtain the hotfix.
CVSS Version 2.0
Base Score: 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Additional Information
Attachmate would like to thank Andrea Micalizzi (rgod), working with HP's Zero Day Initiative, for the discovery and responsible reporting of this vulnerability.

For vulnerability details, see the National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0607

Alert
OpenSSL "CCS Injection" Vulnerability CVE-2014-0224
Date Posted
June 2014
Summary
A vulnerability in OpenSSL could allow an attacker with a man-in-the-middle vantage point on the network to decrypt or modify traffic.
Product Status
This issue affects all versions of Verastream Host Integrator version 7.6 or earlier.

This
issue is resolved beginning in Verastream Host Integrator 7.6 SP1 (version 7.6.1026). Maintained customers can download the latest version from the Attachmate Downloads site, http://download.attachmate.com/.
Additional Information
For details and the latest information on mitigations, see the following:
CERT-CC Vulnerability Note VU#978508:
http://www.kb.cert.org/vuls/id/978508
National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224

Alert
Multiple Oracle Java Vulnerabilities Affecting Verastream Host Integrator
Summary
Multiple security issues have been addressed in the latest Oracle Java update. We recommend that you update Verastream Host Integrator on systems running Development Kit or Server Kit, and update Java on any client systems using the Java connector API, or Java web applications generated by Web Builder.

For more information on Java versions installed with VHI, see Technical Note
10030.
Date Posted and Version Affected
June 2014 – Verastream Host Integrator 7.6 SP1 installs Java 7 Update 55 (JDK 1.7.0_55) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
December 2013 – Verastream Host Integrator 7.6 installs Java 7 Update 45 (JDK 1.7.0_45) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
June 2013 – Verastream Host Integrator 7.5 SP1 installs Java 7 Update 21 (JDK 1.7.0_21) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
December 2012 – Verastream Host Integrator 7.5 installs Java 7 Update 9 (JDK 1.7.0_09) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
March 2012 – Verastream Host Integrator 7.1 Service Pack 2 installs Java 6 Update 29 (JDK 1.6.0_29) on Windows, Solaris, and Linux platforms.
Additional Information
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table.

Alert
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160
Date Posted
April 2014
Summary
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
Product Status
This issue affects Verastream Host Integrator version 7.6. Earlier Verastream Host Integrator versions and other Verastream products are not subject to this vulnerability.

This
issue is resolved beginning in Verastream Host Integrator 7.6 Hotfix 3 (version 7.6.49). Maintained customers can download the latest version from the Attachmate Downloads site, http://download.attachmate.com/.
Additional Information
For details and the latest information on mitigations, see the following:
US-CERT Technical Alert:
https://www.us-cert.gov/ncas/alerts/TA14-098A
CERT-CC Vulnerability Note VU#720951:
http://www.kb.cert.org/vuls/id/720951
National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Alert
Multiple RSA BSAFE SSL-J Vulnerabilities Affect Verastream SDK for Unisys and Airlines
Summary
Multiple security issues have been addressed in RSA BSAFE SSL-J module 6.1.2. We recommend that you update to the latest version of Verastream SDK for Unisys and Airlines.
Date Posted and Version Affected
April 2014 – Verastream SDK for Unisys and Airlines 5.0 uses RSA BSAFE SSL-J module 6.1.2.
Additional Information
For details, see the following web sites:
http://www.securityfocus.com/archive/1/526913/100/900/threaded
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389

Alert
Multiple OpenSSL Vulnerabilities
Date Posted
March 2014
Summary
The ssl3_take_mac function allows remote TLS servers to cause a denial of service via a crafted TLS handshake (CVE-2013-4353).

The ssl_get_algorithm2 function allows remote attackers to cause a denial of service attack via crafted traffic from a TLS 1.2 client (CVE-2013-6449). 

Product Status
These issues are resolved beginning in Verastream Host Integrator 7.6 Hotfix 2 (7.6.47). Download the latest version from Attachmate Downloads at http://download.attachmate.com.
Additional Information
For details, see the National Vulnerability Database web site:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449

Alert
RSA Security Advisory: ESA-2013-068 Crypto-J Default DRBG May Be Compromised
Date Posted
Modified February 2014
January 2014

Summary
RSA strongly recommends that customers discontinue use of the default Dual EC DRBG (deterministic random bit generator) and move to a different DRBG.
Product Status
This issue affects Verastream Host Integrator 7.6, 7.5 SP1, 7.5, and 7.1 SP2; and Verastream Process Designer R6 and R5 SP1. Verastream products on AIX and z/Linux are not affected.
Additional Information
If you wish to change the default pseudo-random number generator (PRNG) used, you can add the following line to the java.security file:
com.rsa.crypto.default.random=HMACDRBG256

This java.security file is found in the following directory:
<installation folder>/java/jdk<version>/jre/lib/security.

Note that the Java version is different depending on the version of the product you have installed. If you have more than one Verastream product installed, you may have to edit more than one file.

For information on Java versions in Verastream, refer to
http://support.attachmate.com/techdocs/10030.html#Java_Requirements.
For more information about this alert, see
http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf.

Alert
Verastream Host Integrator Session Server Vulnerability CVE-2013-3626
Date Posted
Modified November 2013
September 2013

Summary
By sending a specially crafted message to the Verastream Host Integrator Session Server, an unauthenticated remote attacker can execute arbitrary code to gain control of the server.
Product Status
This issue is resolved in Verastream Host Integrator 7.5 SP1 Hotfix 2 or higher (7.5.1038 or higher) and in Verastream Host Integrator 7.1 SP2 Hotfix 7 (7.1.2043). Maintained customers can obtain the latest version from Attachmate Downloads at http://download.attachmate.com..
Additional Information
This vulnerability is posted at the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3626

CERT Coordination Center (CERT/CC) Vulnerability Note VU#436214:
http://www.kb.cert.org/vuls/id/436214

Alert
Multiple Oracle Java Vulnerabilities Affecting Verastream Process Designer
Summary
Multiple security issues have been addressed in the latest Oracle Java update. We recommend that you upgrade Verastream Process Designer to the latest version.
Date Posted and Version Affected
October 2013 – Verastream Process Designer R6 installs Java 7 Update 25 (JDK 1.7.0_25) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
May 2013 – Verastream Process Designer R5 SP1 installs Java 7 Update 15 (JDK 1.7.0_15) on Windows, Solaris, and Linux platforms.
Additional Information
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table.

Alert
Vulnerability Summary for CVE-2013-1571
Date Posted
June 2013
Summary
Verastream Host Integrator and Verastream Bridge Integrator contain API documentation in HTML format that was created by Javadoc. Additionally, the Web Builder tool that is part of Verastream Host Integrator will run Javadoc to generate API documentation in HTML format for the some of the code that it generates.

Javadoc HTML pages that were created by the Javadoc Tool that is included with Java 7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier, JavaFX 2.2.21 and earlier contain JavaScript code that fails to parse scheme relative URIs parameters correctly. An attacker can construct a URI that passes malicious parameters to the affected HTML page that causes one of the frames within the Javadoc-generated web page to be replaced with a malicious page.

This vulnerability could be used for phishing or social engineering, or it could be used for browser exploitation if combined with another browser-related vulnerability.

Product Status
Verastream Host Integrator 7.5 SP1 or earlier and Verastream Bridge Integrator R5 SP1 or earlier contain Help pages that are vulnerable. However, these pages are not served on a public web server, but on a local server that listens on an arbitrary (ephemeral) port, making it unlikely that the vulnerability can be exploited.

If you wish to eliminate this vulnerability, you can run the "Java API Documentation Updater Tool" that is available as a separate download from Oracle. Note that in a typical installation, the tool will have to be run with elevated privileges to write into the installed files.

The API documentation in HTML format that is created by Web Builder also contains the problematic JavaScript, but these files are not served on a web server and therefore are
not vulnerable.

Verastream Process Designer is not affected.

Additional Information
For details, see the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1571

CERT Coordination Center (CERT/CC) Vulnerability Note VU#225657:
http://www.kb.cert.org/vuls/id/225657

Oracle's Java API Documentation Updater Tool:
http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html

Alert
Vulnerability Summary for CVE-2013-0422
Date Posted
January 2013
Summary
Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected.

According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications.

Product Status
Verastream products are not subject to this vulnerability, however, to configure Verastream Host Integrator connections to use the Reflection Security Proxy Server (using the Administrative WebStation included in Reflection Administrator, Reflection Security Gateway, or Reflection for the Web, sold separately from Verastream) your browser must have a Java plug-in enabled. It is this JRE plug-in and Java Web Start that can be exploited, not Attachmate products. To minimize the risk described in this vulnerability, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability. Note: Java used by the browser is a separate installation from the private JDK installed with Verastream Host Integrator; the private JDK is not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.

Alert
Multiple Apache Tomcat Vulnerabilities
Date Posted
December 2012
Summary
Multiple Tomcat security issues have been addressed in Verastream Host Integrator 7.5.
Product Status
Verastream Host Integrator 7.5 has resolved these security issues by no longer using Tomcat for the VHI Web Server. (The VHI Web Server is used to run Java-based projects generated by Web Builder.) Beginning in Verastream Host Integrator 7.5, other technologies are used instead.
Additional Information
For details about the vulnerabilities in Tomcat, see the Apache web site at http://tomcat.apache.org/security-5.html.

Alert
Multiple Oracle Java Vulnerabilities Affecting Verastream Process Designer
Date Posted
October 2012
Summary
Multiple security issues have been addressed in Oracle Java 7 Update 3 or higher.
Product Status
These issues are resolved in Verastream Process Designer R5 on Windows, Solaris, and Linux platforms, which installs Java 7 Update 4 (JDK 1.7.0_04). Verastream Process Designer R4 installed Java 6 Update 16, and R4+SP1 installed Java 6 Update 26.
Additional Information
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table.

Alert
Vulnerability Summary for Verastream Denial of Service
Date Posted
October 2011
Summary
A specially crafted network message can cause a denial of service (server restart) in versions of the VHI session server prior to 7.1 SP1.
Product Status
The vulnerability has been fixed in Verastream Host Integrator 7.1 SP1. Other Verastream products are not subject to this vulnerability.
Additional Information
Attachmate would like to thank Mark Goodwin and Bartosz Maciej of Citi UK for discovering and reporting the vulnerability.

Alert
Vulnerability Summary for CVE-2010-3190
Date Posted
October 2011
Summary
Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability."
Product Status
In Verastream Host Integrator 7.1 SP1 and Verastream Process Designer R4 SP1, the Microsoft Redistributable Library files for the untrusted search path vulnerability have been updated. Other Verastream products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3190.

Alert
Multiple OpenSSL Vulnerabilities
Date Posted
February 2011
Summary
Multiple OpenSSL vulnerabilities are described in the following: CVE-2010-4252, CVE-2010-4180, and CVE-2010-3864.
Product Status
Attachmate Verastream products, and specifically Verastream Host Integrator, are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4252
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864

Alert
Vulnerability Summary for CVE-2010-1622
Date Posted
October 2010
Summary
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Product Status
Attachmate Verastream products, and specifically Verastream Process Designer, are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1622.

Alert
US-CERT Technical Cyber Security Alert TA10-238A
Date Posted
September 2010
Summary
Due to the way Microsoft Windows loads dynamically linked libraries (DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code.
Product Status
Attachmate Verastream products are not subject to this vulnerability
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html.

Alert
OpenSSL cryptographic message syntax vulnerability CVE-2010-742
Date Posted
June 2010
Summary
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
Product Status
Attachmate Verastream products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742.

Alert
OpenSSL RSA verification recovery vulnerability CVE-2010-1633
Date Posted
June 2010
Summary
RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors.
Product Status
Attachmate Verastream products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633.

Alert
US-CERT Technical Cyber Security Alert TA09-209A
Date Posted
28-July-2009
Summary
Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable.
Product Status
Verastream Transaction Integrator (VTI) version 4.0 includes the vulnerable Microsoft ATL redistribution. However, as VTI does not use ATL in an ActiveX control, nor is it scriptable, the risk is significantly lessened. To remove the possibility of third-party controls or scripts using the vulnerable ATL, incorporation of the non-vulnerable ATL is planned for the next release of VTI.
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html.

Alert
iDefense Advisory 11.15.05
Date Posted
January 2007
Product Status
For information on this security vulnerability in Verastream Integration Broker version 9.9 or earlier, see Technical Note 10070.

Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Related Technical Notes
1890 Reporting a Potential Security Vulnerability to Attachmate
2200 Security and Your Operating Environment
2400 Attachmate Products with FIPS 140-2 Validated Crypto Modules
10030 Supported Platforms and Systems Requirements for Verastream Host Integrator
10070 Verastream Integration Broker Security Vulnerability (iDefense Advisory 11.15.05)
10151 Security Overview for Verastream Host Integrator 7.x

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.