Security Updates and FileXpress
Technical Note 2701
Last Reviewed 20-Apr-2016
Applies To
FileXpress Gateway version 1.0 or higher
Summary

This technical note describes security issues related to the FileXpress products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.

Other Useful Resources

Java and FileXpress

Some FileXpress products use Java, and you may need to update the installed version of Java used by these products to get the latest Java security updates. For more information about Java and FileXpress, see http://support.attachmate.com/techdocs/2600.html#FileXpress.

Security Alerts and Advisories

The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.

Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.

IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.

Alert
RSA BSAFE Crypto-J JSAFE and JCE Module
Date Posted
April 2016
Summary
FIPS validation issues have been addressed in a hotfix. RSA BSAFE Crypto-J JSAFE and JCE software module version 6.2.1 has been validated by the National Institute of Standards and Technology (NIST).
Product Status
FileXpress Gateway: This issue has been resolved beginning in version 1.0 build 369. Contact Technical Support to obtain a hotfix.
Additional Information
For details, see Technical Note 2400.

Alert
glibc Stack-based Buffer Overflow Vulnerability (CVE-2015-7547)
Date Posted
March 2016
Summary
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() function is used.
Product Status
For information on how to update your Red Hat system, see https://access.redhat.com/security/cve/cve-2015-7547.

For information on how to update your SUSE system, see
https://www.suse.com/support/update/announcement/2016/suse-su-20160471-1.html.
Additional Information
For vulnerability details, see:
https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Alert
Bouncy Castle Invalid Curve Attack Vulnerability (CVE-2015-7940)
Date Posted
December 2015
Summary
The Bouncy Castle Java library before 1.51 does not validate a point is within the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges.
Product Status
Disable Bouncy Castle as the Elliptical Curve encryption provider as follows:
1. Make sure you are running Oracle Java Server JRE or JDK version 1.7 or 1.8.
2. Edit the JAVA_HOME/jre/lib/security/java.security file.
3. Verify that the “sun.security.ec.SunEC” provider is defined.
security.provider.<n>=sun.security.ec.SunEC
4. Move the following line from line 3 to the last provider entry:
security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
5. Renumber the security.provider entries and save the java.security file.
6. Restart the FileXpress server.

Additional Information
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7940

Alert
Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000)
Date Posted
June 2015 (Updated)
Summary
With TLS protocol 1.2, if DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. Additionally, with any TLS or SSH connection that uses weaker DH Groups (1024 bits or less) for key exchange, an attacker can passively eavesdrop and decrypt sessions. 
Product Status
FileXpress Gateway 1.0 is subject to this vulnerability. This issue is addressed beginning in FileXpress Gateway 1.0 hotfix build 368. Maintained customers can download the latest hotfix from the Attachmate Downloads site.

In new product installations, DH Group1 Key Exchanges are disabled by default. After upgrading an existing installation, disable Group1 Exchanges as follows:
1. Open the FileXpress Secure Shell Proxy Console from the Start menu.
2. Click Configuration > Encryption > Key Exchange and click the Restore pane defaults link.
3. Click Yes to reset then File > Save Settings.

Additional Information
For vulnerability details, see
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000

Alert
Multiple OpenSSL Vulnerabilities
Summary
Multiple OpenSSL issues have been addressed in the latest OpenSSL version.
Date Posted and Version Affected
October 2014 – FileXpress Gateway 1.0 contains the latest OpenSSL Cryptographic Module that includes OpenSSL release 1.0.1i.
Additional Information
For vulnerability details, see:
https://www.openssl.org/news/secadv_20150319.txt
https://www.openssl.org/news/secadv_20140806.txt
.

Alert
Multiple Oracle JRE Vulnerabilities
Summary
Multiple Oracle JRE issues have been addressed in the latest Oracle Java update.
Date Posted and Version Affected
January 2015 – Beginning in FileXpress Gateway 1.0 Hotfix 1 (version 1.0.0.360), JRE version 7 Update 75 is installed.
Additional Information
Oracle lists the security vulnerabilities addressed by Oracle advisories (updates); see the mapping at http://www.oracle.com/technetwork/topics/security/public-vuln-to-advisory-mapping-093627.html.

Alert
RSA BSAFE SSL-J Vulnerability CVE-2014-4630
Date Posted
January 2015
Summary
EMC RSA BSAFE SSL-J before 6.1.4 does not ensure that a server’s X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a “triple handshake attack."
Product Status
FileXpress Gateway 1.0 (version 1.0.0.336) is not vulnerable to this attack but does contain the vulnerable module. Beginning in FileXpress Gateway 1.0 Hotfix 1 (version 1.0.0.360), the module has been updated with RSA BSAFE SSL-J 6.1.4.
We recommend that you upgrade FileXpress Gateway to the latest hotfix. Maintained customers can download the latest hotfix from the Attachmate Downloads site.

Additional Information
For details and the latest information, see
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4630.

Alert
OpenSSL "Heartbleed" Vulnerability CVE-2014-0160
Date Posted
April 2014
Summary
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
Product Status
FileXpress products are not affected by this issue.
Additional Information
For details and the latest information on mitigations, see the following:
US-CERT Technical Alert:
https://www.us-cert.gov/ncas/alerts/TA14-098A
CERT-CC Vulnerability Note VU#720951:
http://www.kb.cert.org/vuls/id/720951
National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160.

Alert
Vulnerability CVE-2013-0422
Date Posted
January 2013
Summary
Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected.

According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications.

Product Status
FileXpress products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.

Alert
Vulnerability CVE-2010-4252
Date Posted
June 2011
Summary
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
Product Status
FileXpress products are not affected by this OpenSSL issue.
Additional Information
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4252.

Alert
Vulnerability CVE-2010-4180
Date Posted
June 2011
Summary
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Product Status
FileXpress products are not subject to this vulnerability.
Additional Information
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180.

Alert
OpenSSL TLS Buffer Overflow Vulnerability CVE-2010-3864
Date Posted
February 2011
Summary
Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.
Product Status
FileXpress products, are not subject to this vulnerability
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864.

Alert
FTP Client Directory Traversal Vulnerability CVE-2010-3096
Date Posted
December 2010
Summary
Numerous FTP clients have reported a directory traversal vulnerability that allows remote FTP servers to write arbitrary files via "..\" (dot dot backslash) sequences in a filename.
Product Status
FileXpress products are not subject to this vulnerability
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3096.

Alert
US-CERT Technical Cyber Security Alert TA10-238A
Date Posted
November 2010
Summary
Due to the way Microsoft Windows loads dynamically linked libraries (DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code.
Product Status
FileXpress products are not subject to this vulnerability
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html.

Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Related Technical Notes
1890 Reporting a Potential Security Vulnerability to Attachmate
2200 Security and Your Operating Environment
2398 Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recovery Attack Against SSH
2600 Java and Attachmate Products

Did this technical note answer your question?

           



Need further help? For technical support, please contact Support.