Security Updates and FileXpress
Technical Note 2701
Last Reviewed 29-Aug-2014
Applies To
FileXpress Command Center version 7.1.1 or higher
FileXpress Internet Server version 7.1.1 or higher
FileXpress Platform Server version 7.0 or higher
FileXpress Platform Server Agent version 7.1
FileXpress FileShot (TIBCO Slingshot) version 1.8 or higher
Summary

This technical note describes security issues related to the FileXpress products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.

Other Useful Resources

Java and FileXpress

FileXpress products do not install Java; however, some FileXpress products may require that Java be installed for FileXpress to work. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment. For more information about Java and FileXpress, see Technical Note 2600.

Security Alerts and Advisories

The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.

Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.

IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.

Alert
Apache Struts Vulnerability CVE-2014-0114
Date Posted
August 2014
Summary
A vulnerability in Apache Struts 1.x through 1.3.10 allows remote attackers to manipulate the ClassLoader and execute code via the class parameter.
Product Status
FileXpress Internet Server and Command Center: This issue is addressed beginning in version 7.2.3.
FileXpress FileShot (TIBCO Slingshot): This issue is addressed beginning in version 1.9.2.
We recommend that you upgrade FileXpress Internet Server, Command Center and FileShot to the latest versions. Maintained customers can download the latest versions from the Attachmate Downloads site.

Additional Information
For details and the latest information, see the following:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2545

Alert
Multiple Apache Tomcat Vulnerabilities†
Summary
Multiple Apache Tomcat issues have been addressed in the latest Apache Tomcat release. We recommend that you upgrade FileXpress Internet Server, FileXpress Command Center, and FileXpress FileShot to the latest versions. Maintained customers can download the latest versions from the Attachmate Downloads site.
Date Posted and Version Affected
August 2014 – FileXpress Internet Server and FileXpress Command Center 7.2.3 installs Apache Tomcat 7.0.54. FileXpress FileShot (TIBCO Slingshot) 1.9.2 installs Apache Tomcat 7.0.54.
Date Posted and Version Affected
May 2014 – FileXpress Internet Server and FileXpress Command Center 7.2 Service Pack 2 (7.2.2) installs Apache Tomcat 7.0.52. FileXpress FileShot 1.9 Service Pack 1 (1.9.1) installs Apache Tomcat 7.0.52.
Date Posted and Version Affected
November 2013 – FileXpress Internet Server and FileXpress Command Center 7.2 Service Pack 1 (7.2.1) installs Apache Tomcat 7.0.40.
Date Posted and Version Affected
July 2013 – FileXpress Internet Server and FileXpress Command Center 7.2 Hotfix FX01919 installs Apache Tomcat 7.0.40, which addresses several potential security vulnerabilities in FileXpress Internet Server and Command Center 7.2.†Upgrade to Hotfix FX01919, available from Attachmate Downloads.
Additional Information
The Apache Software Foundation lists the security vulnerabilities addressed by Apache Tomcat 7 updates; see the mapping at http://tomcat.apache.org/security-7.html.

Alert
Vulnerability CVE-2014-2545
Date Posted
May 2014
Summary
A vulnerability in FileXpress Internet Server, Command Center and FileShot allows remote attackers to obtain sensitive information via a crafted HTTP request.
Product Status
Beginning in 7.2 Service Pack 2 (7.2.2), FileXpress Internet Server and Command Center are not affected by this issue. Beginning in 1.9 Service Pack 1 (1.9.1), FileXpress FileShot is not affected by this issue. We recommend that you upgrade FileXpress Internet Server, FileXpress Command Center, and FileXpress FileShot to the latest versions.
Additional Information
For details and the latest information, see the following:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2545

Alert
Multiple Apache Struts Vulnerabilities†
Summary
Multiple Apache Struts issues have been addressed in a newer Apache Struts release. We recommend that you upgrade FileXpress Internet Server, FileXpress Command Center and FileXpress FileShot to the latest versions.
Date Posted and Version Affected
May 2014 – FileXpress Internet Server and FileXpress Command Center 7.2 Service Pack 2 (7.2.2) installs Apache Struts 1.3.10. FileXpress FileShot 1.9 Service Pack 1 (1.9.1) installs Apache Struts 1.3.10.
Additional Information
For details, see the following:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2025
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1548
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1547
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1546

Alert
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160
Date Posted
April 2014
Summary
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
Product Status
FileXpress products are not affected by this issue.
Additional Information
For details and the latest information on mitigations, see the following:
US-CERT Technical Alert:
https://www.us-cert.gov/ncas/alerts/TA14-098A
CERT-CC Vulnerability Note VU#720951:
http://www.kb.cert.org/vuls/id/720951
National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160.

Alert
Multiple OpenSSL Vulnerabilities
Date Posted
May 2013
Summary
Multiple OpenSSL issues have been addressed in OpenSSL 0.9.8y.†
Product Status
FileXpress Platform Server for Windows 7.1 Hotfix CW01906 installs OpenSSL version 0.9.8y-fips, which addresses several potential security vulnerabilities in FileXpress Platform Server for Windows.†To obtain the hotfix, contact Attachmate Technical Support: http://support.attachmate.com/contact/.
Additional Information
OpenSSL lists the security vulnerabilities addressed by OpenSSL updates; see the mapping at http://www.openssl.org/news/vulnerabilities.html.

Alert
Vulnerability CVE-2013-0422
Date Posted
January 2013
Summary
Oracle Java 7†Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild"†and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected.

According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications.

Product Status
FileXpress products are not subject to this vulnerability, however, the Internet Server Transfer Client and the FileShot (Slingshot) Java-mode Web Client require a Java plug-in. It is this JRE plug-in and Java Web Start that can be exploited, not the Transfer Client or the Web Client. You can choose to use the non-Java mode Slingshot Web Client, which is the default. To enable use of the Transfer Client or the Java-mode Web Client and minimize the risk described in this vulnerability, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.

Alert
Vulnerability CVE-2011-3424
Date Posted
October 2011
Summary
A session fixation vulnerability exists in Internet Server version 7.1.0 and earlier, Command Center version 7.1.0 and earlier, and FileShot (TIBCO Slingshot) version 1.8.0 and earlier. This vulnerability could allow a remote attacker to hijack a valid user's session and possibly launch further attacks on the system.
Product Status
Beginning in version 7.1.1, FileXpress Internet Server and Command Center are not affected by this issue. Beginning in version 1.8.1, FileXpress FileShot (TIBCO Slingshot) is not affected by this issue. (FileXpress Platform Servers are not affected by this issue.)
Additional Information
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3424.

Alert
Vulnerability CVE-2011-3423
Date Posted
October 2011
Summary
A cross-site scripting (XSS) vulnerability exists in Internet Server version 7.1.0 and earlier, Command Center version 7.1.0 and earlier, and FileShot (TIBCO Slingshot) version 1.8.0 and earlier. This vulnerability could be exploited by allowing a remote attacker to inject arbitrary web script or HTML within the site security context.
Product Status
Beginning in version 7.1.1, FileXpress Internet Server and Command Center are not affected by this issue. Beginning in version 1.8.1, FileXpress FileShot (TIBCO Slingshot) is not affected by this issue. (FileXpress Platform Servers are not affected by this issue.)
Additional Information
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3423.

Alert
Vulnerability CVE-2010-4172
Date Posted
July 2011
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
Product Status
Beginning in 7.1, FileXpress Internet Server and Command Center are not affected by this issue. (FileXpress Platform Servers are not affected by this issue.)
Additional Information
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4172.

Alert
Vulnerability CVE-2011-0013
Date Posted
July 2011
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Software Foundation Tomcat 7.0 before 7.0.6, 5.5 before 5.5.32, and 6.0 before 6.0.30 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
Product Status
Beginning in 7.1, FileXpress Internet Server and Command Center are not affected by this issue. (FileXpress Platform Servers are not affected by this issue.)
Additional Information
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0013.

Alert
Floating Point Number Vulnerability CVE-2010-4476
Date Posted
July 2011 – Modified
June 2011

Summary
Oracle Security Alert: "This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks (that is, it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability."
Product Status
FileXpress Internet Server, FileXpress Command Center, and FileXpress FileShot are affected by this vulnerability. To resolve the issue, you must update the JDK to 1.6U24 or higher. If you use the Internet Transfer Thin Client or any Command Line Clients, ensure that the JRE used is 1.6U24 or higher.
Additional Information
For details see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html, and the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476.

Alert
Vulnerability CVE-2010-4252
Date Posted
June 2011
Summary
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Product Status
FileXpress products, and specifically FileXpress Platform Servers, are not affected by this OpenSSL issue. Platform Server does not use J-PAKE. J-PAKE is not compiled into OpenSSL by default.
Additional Information
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4252.

Alert
Vulnerability CVE-2010-4180
Date Posted
June 2011
Summary
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Product Status
FileXpress products, and specifically FileXpress Platform Servers, are not subject to this vulnerability. Platform Server does not enable the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag.
Additional Information
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180.

Alert
OpenSSL TLS Buffer Overflow Vulnerability CVE-2010-3864
Date Posted
February 2011
Summary
Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.
Product Status
FileXpress products, and specifically Platform Server (which does include OpenSSL code), are not subject to this vulnerability
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864.

Alert
FTP Client Directory Traversal Vulnerability CVE-2010-3096
Date Posted
December 2010
Summary
Numerous FTP clients have reported a directory traversal vulnerability that allows remote FTP servers to write arbitrary files via "..\" (dot dot backslash) sequences in a filename.
Product Status
FileXpress products are not subject to this vulnerability
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3096.

Alert
US-CERT Technical Cyber Security Alert TA10-238A
Date Posted
November 2010
Summary
Due to the way Microsoft Windows loads dynamically linked libraries (DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code.
Product Status
FileXpress products are not subject to this vulnerability
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html.

Alert
Vulnerability Advisory CPNI-957037
Date Posted
November 2010
Summary
A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the userís SSH connection.
Product Status
Beginning in version 7.0, FileXpress Internet Server has added Counter Mode (CTR) cipher support. For more information about how this vulnerability affects Attachmate products, see Technical Note 2398. FileXpress Command Center and Platform Servers are not subject to this vulnerability.
Additional Information
For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563.

Alert
Multiple Java JVM Vulnerabilities
Date Posted
November 2010
Summary
Multiple Oracle Java JVM vulnerabilities are described in the following: US-CERT VU#466161; CVE-2009-3881, CVE-2009-3886; CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, and CVE-2010-0840.
Product Status
Beginning in version 7.0, FileXpress Internet Server provides JRE 1.6U20 (a non-vulnerable version) if a user does not have a JRE currently installed.
Additional Information
For details, search the appropriate database:
For VU information,
http://www.kb.cert.org/vuls/html/search
For CVE information,
http://cve.mitre.org/find/index.html

Alert
US-CERT Technical Cyber Security Alert TA09-209A
Date Posted
Modified November 2010
July 2009

Summary
Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable.
Product Status
While FileXpress products do not contain ActiveX controls or COM components, they do contain the ATL; however, beginning in FileXpress Platform Server for Windows 6.5.1 and FileXpress Internet Server 7.0 and Command Center 7.0, the products contain a non-vulnerable version of the ATL.
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html.

Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Related Technical Notes
1890 Reporting a Potential Security Vulnerability to Attachmate
2200 Security and Your Operating Environment
2398 Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recovery Attack Against SSH
2600 Java and Attachmate Products
9968 Technical Notes for FileXpress

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.