Security Updates and FileXpress
Technical Note 2701
Last Reviewed 29-Jan-2013
Applies To
FileXpress Command Center version 7.0 or higher
FileXpress Internet Server version 7.0 or higher
FileXpress Platform Server version 7.0 or higher
FileXpress Platform Server Agent version 7.1
FileXpress FileShot (TIBCO Slingshot) version 1.8 or higher
Summary
This technical note describes security issues related to the FileXpress products listed in the Applies To section. If you rely on the security features of these products, you should consult this technical note on a regular basis for any updated information regarding these features.
Other Useful Resources
Java and FileXpress
FileXpress products do not install Java; however, some FileXpress products may require that Java be installed for FileXpress to work. It is therefore important for you to stay current with Java as Oracle releases updates that may affect your environment. For more information about Java and FileXpress, see Technical Note 2600.
Security Alerts and Advisories
The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.
Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.
IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.
Alert
|
Vulnerability CVE-2013-0422
|
Date Posted
|
January 2013
|
Summary
|
Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited "in the wild" and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected.
According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user's system. These vulnerabilities are not applicable to Java running on servers or within applications.
|
Product Status
|
FileXpress products are not subject to this vulnerability, however, the Internet Server Transfer Client and the FileShot (Slingshot) Java-mode Web Client require a Java plug-in. It is this JRE plug-in and Java Web Start that can be exploited, not the Transfer Client or the Web Client. You can choose to use the non-Java mode Slingshot Web Client, which is the default. To enable use of the Transfer Client or the Java-mode Web Client and minimize the risk described in this vulnerability, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability.
|
Additional Information
|
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle's site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.
|
Alert
|
Vulnerability CVE-2011-3424
|
Date Posted
|
October 2011
|
Summary
|
A session fixation vulnerability exists in Internet Server version 7.1.0 and earlier, Command Center version 7.1.0 and earlier, and FileShot (TIBCO Slingshot) version 1.8.0 and earlier. This vulnerability could allow a remote attacker to hijack a valid user's session and possibly launch further attacks on the system.
|
Product Status
|
Beginning in version 7.1.1, FileXpress Internet Server and Command Center are not affected by this issue. Beginning in version 1.8.1, FileXpress FileShot (TIBCO Slingshot) is not affected by this issue. (FileXpress Platform Servers are not affected by this issue.)
|
Additional Information
|
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3424.
|
Alert
|
Vulnerability CVE-2011-3423
|
Date Posted
|
October 2011
|
Summary
|
A cross-site scripting (XSS) vulnerability exists in Internet Server version 7.1.0 and earlier, Command Center version 7.1.0 and earlier, and FileShot (TIBCO Slingshot) version 1.8.0 and earlier. This vulnerability could be exploited by allowing a remote attacker to inject arbitrary web script or HTML within the site security context.
|
Product Status
|
Beginning in version 7.1.1, FileXpress Internet Server and Command Center are not affected by this issue. Beginning in version 1.8.1, FileXpress FileShot (TIBCO Slingshot) is not affected by this issue. (FileXpress Platform Servers are not affected by this issue.)
|
Additional Information
|
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3423.
|
Alert
|
Vulnerability CVE-2010-4172
|
Date Posted
|
July 2011
|
Summary
|
Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) orderBy or (2) sort parameter to sessionsList.jsp, or unspecified input to (3) sessionDetail.jsp or (4) java/org/apache/catalina/manager/JspHelper.java, related to use of untrusted web applications.
|
Product Status
|
Beginning in 7.1, FileXpress Internet Server and Command Center are not affected by this issue. (FileXpress Platform Servers are not affected by this issue.)
|
Additional Information
|
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4172.
|
Alert
|
Vulnerability CVE-2011-0013
|
Date Posted
|
July 2011
|
Summary
|
Multiple cross-site scripting (XSS) vulnerabilities in the HTML Manager Interface in Apache Software Foundation Tomcat 7.0 before 7.0.6, 5.5 before 5.5.32, and 6.0 before 6.0.30 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the display-name tag.
|
Product Status
|
Beginning in 7.1, FileXpress Internet Server and Command Center are not affected by this issue. (FileXpress Platform Servers are not affected by this issue.)
|
Additional Information
|
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0013.
|
Alert
|
Floating Point Number Vulnerability CVE-2010-4476
|
Date Posted
|
July 2011 – Modified
June 2011
|
Summary
|
Oracle Security Alert: "This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks (that is, it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability."
|
Product Status
|
FileXpress Internet Server, FileXpress Command Center, and FileXpress FileShot are affected by this vulnerability. To resolve the issue, you must update the JDK to 1.6U24 or higher. If you use the Internet Transfer Thin Client or any Command Line Clients, ensure that the JRE used is 1.6U24 or higher.
|
Additional Information
|
For details see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html, and the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4476.
|
Alert
|
Vulnerability CVE-2010-4252
|
Date Posted
|
June 2011
|
Summary
|
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.
|
Product Status
|
FileXpress products, and specifically FileXpress Platform Servers, are not affected by this OpenSSL issue. Platform Server does not use J-PAKE. J-PAKE is not compiled into OpenSSL by default.
|
Additional Information
|
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4252.
|
Alert
|
Vulnerability CVE-2010-4180
|
Date Posted
|
June 2011
|
Summary
|
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
|
Product Status
|
FileXpress products, and specifically FileXpress Platform Servers, are not subject to this vulnerability. Platform Server does not enable the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG flag.
|
Additional Information
|
For details see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180.
|
Alert
|
OpenSSL TLS Buffer Overflow Vulnerability CVE-2010-3864
|
Date Posted
|
February 2011
|
Summary
|
Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.
|
Product Status
|
FileXpress products, and specifically Platform Server (which does include OpenSSL code), are not subject to this vulnerability
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864.
|
Alert
|
FTP Client Directory Traversal Vulnerability CVE-2010-3096
|
Date Posted
|
December 2010
|
Summary
|
Numerous FTP clients have reported a directory traversal vulnerability that allows remote FTP servers to write arbitrary files via "..\" (dot dot backslash) sequences in a filename.
|
Product Status
|
FileXpress products are not subject to this vulnerability
|
Additional Information
|
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3096.
|
Alert
|
US-CERT Technical Cyber Security Alert TA10-238A
|
Date Posted
|
November 2010
|
Summary
|
Due to the way Microsoft Windows loads dynamically linked libraries (DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code.
|
Product Status
|
FileXpress products are not subject to this vulnerability
|
Additional Information
|
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html.
|
Alert
|
Vulnerability Advisory CPNI-957037
|
Date Posted
|
November 2010
|
Summary
|
A design flaw in the SSH protocol use of block ciphers in cipher block chaining mode could allow an attacker to recover up to four bytes of plaintext. Although the severity of the attack is considered high, the likelihood of a successful attack is considered low and results in terminating the user’s SSH connection.
|
Product Status
|
Beginning in version 7.0, FileXpress Internet Server has added Counter Mode (CTR) cipher support. For more information about how this vulnerability affects Attachmate products, see Technical Note 2398. FileXpress Command Center and Platform Servers are not subject to this vulnerability.
|
Additional Information
|
For details, see the US-CERT web site at http://www.kb.cert.org/vuls/id/958563.
|
Alert
|
Multiple Java JVM Vulnerabilities
|
Date Posted
|
November 2010
|
Summary
|
Multiple Oracle Java JVM vulnerabilities are described in the following: US-CERT VU#466161; CVE-2009-3881, CVE-2009-3886; CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, and CVE-2010-0840.
|
Product Status
|
Beginning in version 7.0, FileXpress Internet Server provides JRE 1.6U20 (a non-vulnerable version) if a user does not have a JRE currently installed.
|
Additional Information
|
For details, search the appropriate database:
For VU information, http://www.kb.cert.org/vuls/html/search
For CVE information, http://cve.mitre.org/find/index.html
|
Alert
|
US-CERT Technical Cyber Security Alert TA09-209A
|
Date Posted
|
Modified November 2010
July 2009
|
Summary
|
Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable.
|
Product Status
|
While FileXpress products do not contain ActiveX controls or COM components, they do contain the ATL; however, beginning in FileXpress Platform Server for Windows 6.5.1 and FileXpress Internet Server 7.0 and Command Center 7.0, the products contain a non-vulnerable version of the ATL.
|
Additional Information
|
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html.
|
Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Related Technical Notes
| 1890 |
Reporting a Potential Security Vulnerability to Attachmate |
| 2200 |
Security and Your Operating Environment |
| 2398 |
Attachmate Security Update for CSIRTUK Vulnerability #CPNI-957: Plaintext Recovery Attack Against SSH |
| 2600 |
Attachmate Products and Java |
| 9968 |
Technical Notes for FileXpress |
