FAQ: How do I Block Heartbleed on NetScaler?

Q: Is NetScaler affected by Heartbleed vulnerability?

A: Heartbleed is one of the most impactful vulnerability identified in the recent history of SSL protocol. Heartbleed is a bug identified in OpenSSL’s implementation of TLS heartbeat extension which allows intruders to get information from the server’s memory thereby revealing potential user data which was assumed to be safe using TLS. OpenSSL runs in majority of sites hosted in the internet which makes this a widely impacted one. The secure information that is shared with the server is now accessible by the attacker and this action is completely undetectable.

Use cases

  • Andy wishes to interact in a secure fashion (some arbitrary, some known) free from Heartbleed attacks through a web browser.
  • Banking.com wishes to host web servers to be used by people like Andy in a secure fashion free from Heartbleed attack.

Q: How does Heartbleed work?

A: In order to understand Heartbleed, it is required to understand how heartbeat extensions work. There is a heartbeat request-response exchange done between sender and receiver that allows the usage of “keep-alive” without performing a renegotiation. The message format contains Heartbeat message type, Payload, Payload length and Padding. Payload can be any value which needs to be shared with the other participant (say a server). The server copies the payload , creates a response message around it and replies back to the sender. Payload length field is 2 byte long and decides the length of the payload. This implies payload can be anything up to 65536 bytes. As per RFC 6520, if the payload length is bigger than the supported value, then the message should be discarded silently. In this scenario, server should not process the message and send a response. This is not the case with OpenSSL’s implementation which lead to the Heartbleed vulnerability. As a result server sends extra bytes of information which was requested by the attacker. This is the data present in the server’s memory which can be sensitive information.

Q: How does NetScaler help?

A: NetScaler comes to the rescue! NetScaler was never affected by the issue found in OpenSSL implementation. NetScaler can block Heartbleed attacks as the affected versions of OpenSSL (1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) are not used by NetScaler. NetScaler operating system uses modified SSL stack which is fine tuned for security, performance and other use cases and is not impacted by this vulnerability. On management pane, OpenSSL is used, however the affected versions are not used and thus not affected by Heartbleed vulnerability.

To know more information on the list of Citrix products that requires updates to evade Heartbleed vulnerability please read the support article : http://support.citrix.com/article/CTX140605.

Related:

Splunk Intgration

I need a solution

Trying to get SEP Cloud events into Splunk Enterprise v6.6.1 running on a Windows Server.

I created the scripted input per the Symantec Technote, however it doesnt appear to be working.

The following appears in splunkd.log:

ERROR ExecProcessor – Couldn’t start command “”C:Program FilesSplunkbinscriptswrapper.sh””: FormatMessage was unable to decode error (193), (0xc1)

Also, the following error occurs when trying to run the ExportClient.py script directly from a command line:

C:Program FilesSplunkbin>splunk cmd python scriptsExportClient.py
Traceback (most recent call last):
File “scriptsExportClient.py”, line 8, in 
import dateutil.parser
ImportError: No module named dateutil.parser

It appears some python modules are not installed with the version of python that is included with Splunk.

Has anyone managed to get this working?

Is there additional information available regarding what’s needed to get this working?

0

Related:

The Glitch Mob Flip the Stage with Dell and Alienware

EMC logo


The music, the lights, the people. They all add up at an electronic dance music (EDM) event to create an experience that takes us away from our everyday life. We get to dance and escape for a bit.

“But, after a few shows, this novelty wore off. You weren’t as excited anymore; you knew what to expect. So what does one do?” asked one music psychology enthusiast.

The Glitch Mob performing with Blade 1.0

Well, if you’re the pioneers in live performances of electronic music like Boreta (Justin Boreta), edIT (Edward Ma), and Ooah (Joshua Mayer), aka The Glitch Mob (above), you look for new technology that lets you further break down the wall between the performers and the crowd.

“The Glitch Mob are consistently pushing the boundaries of live electronic performance, with The Blade 2.0 another of their ingenious creations once again putting their live show in a league of its own,” says Broadway World.

Blade 2.0 is the new custom-made live performance rig that follows (obviously) Blade 1.0. The new tour also brings a custom stage designed by Martin Phillips, the same man behind Daft Punk’s legendary Pyramid on their iconic 2006/2007 Alive tour; he’s also worked with the likes of Kanye West, Nine Inch Nails and others.

The band also collaborated with Dell and Alienware on the project to provide the elite computational power needed to perform their music the way it was intended to be received with the utmost precision and sound quality.

As gamers, in addition to musicians, The Glitch Mob have been fans of Alienware and started working with the brand in 2011. Impressed with the performance of those systems, they began looking at more Dell technology for the Blade 2.0.

They were using hacked Apple iPads and Macbook Pros in the Blade 1.0, but felt limited by their ecosystem and infrastructure. The systems were barely powerful enough to keep up with the demands of the live show and weren’t updated or refreshed frequently enough.

At their 2015 New Year’s Eve show, The Glitch Mob used three Dell XPS 18s for the first time in a live performance in front of 19,000 fans. Success then gave them confidence that Dell would be a reliable technology partner for a monumental 36-date 2018 world tour on a next-level stage.

Everything has been flipped around so the crowd can see what the group are playing in real time

Traditionally, a stage has a conceptual barrier between those who are on it and those in front of it that is referred to as the fourth wall. What’s going to be really fun about Blade 2.0 is that it breaks that imaginary barrier.

“Everything has been flipped around so the crowd can see what the group are playing in real time,” Broadway World noted. “The Blade 2.0 acts as both a custom-made instrument and stage, which creates a uniquely immersive experience.”

I first got to see a sample of this effect when The Glitch Mob demonstrated our Dell XPS 27 at CES 2017. For Blade 2.0, however, they’ve evaluated many other Dell technologies and landed on the following configuration for the end-to-end design:

  • Dell Canvas and Alienware 17s as primary controller for each performer (running emulator on the Canvas/Alienware pairing allows the touchscreen to act as a flexible and reconfigurable MIDI controller)
  • Alienware 15s to run the live musical set in Ableton and do the bulk of the computing
  • XPS All-in-Ones (AIOs) as secondary controllers for each performer

For venues and events where Blade 2.0 won’t fit, The Glitch Mob will perform DJ sets on Dell XPS 15s.

While the tour doesn’t officially kick off until April 20 in Paris, France, a sneak preview will be coming to our Dell Technologies THE EXPERIENCE at SXSW next month. Along with their fellow live electronic music pioneers Strangeloop and WaveVR, The Glitch Mob will discuss how live music is evolving with advancements in technology. Then, attendees will be treated to the world premiere performance of Blade 2.0.

If you aren’t able to be a part of that Austin, Texas, event, The Glitch Mob will be traveling all around the rest of North America and the world. Tickets for those shows went on sale to the public today on The Glitch Mob’s official website.



ENCLOSURE:https://blog.dell.com/uploads/2018/02/The-Glitch-Mob-Elliott-Brockelbank_1000x500.jpg

Update your feed preferences


   

   


   


   

submit to reddit
   

Related:

IBM Security Bulletin: IBM Maximo Asset Management is vulnerable to SQL injection

IBM Maximo Asset Management is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. CVE(s): CVE-2018-1414 Affected product(s) and affected version(s): This …

Related:

Joomla Advertisement Board CVE-2018-5982 catname SQL Injection

Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/advertisement-board/. # Version: 3.1.0. # Category: Webapps. # Tested on: WiN7_x64/KaLiLinuX_x64. # CVE: CVE-2018-5982. # # # #. # Exploit Author: Ihsan Sencan. # # # #. #. # POC: #. # 1).

Related:

7022627: rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)

This document (7022627) is provided subject to the disclaimer at the end of this document.

Environment

ReflectionDesktop 16.1 version 16.1.348 and earlier

InfoConnect Desktop 16.1 version 16.1.348 and earlier

Situation

There is an overflow bug in the AVX2 Montgomery multiplication procedureused in exponentiation with 1024-bit moduli. No EC algorithms are affected.Analysis suggests that attacks against RSA and DSA as a result of this defectwould be very difficult to perform and are not believed likely. Attacksagainst DH1024 are considered just feasible, because most of the worknecessary to deduce information about a private key may be performed offline.The amount of resources required for such an attack would be significant.However, for an attack on TLS to be meaningful, the server would have to sharethe DH1024 private key among multiple clients, which is no longer an optionsince CVE-2016-0701.

Resolution

This issue isaddressed in Reflection/InfoConnect Desktop 16.1 version 16.1.362 and higher.

Status

Security Alert

Additional Information

For vulnerability details, see the National Vulnerability Database:

https://nvd.nist.gov/vuln/detail/CVE-2017-3738

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7021300: Security Updates 2016 and earlier – Verastream

The following security alerts and advisories may affect your product installation, or the security of your operating system or network environment. We recommend that you review these alerts and advisories.

Note: This information is non-inclusive—it does not attempt to address all security issues that may affect your system.

IMPORTANT REMINDER: The security for all of the Attachmate products using the Attachmate security features depends upon the security of the operating system, host, and network environment. We strongly recommend that you evaluate and implement all relevant security service packs, updates, and patches recommended by your operating system, host, and network manufacturers. For more information, see Technical Note 2200.

Alert
glibc Stack-based Buffer Overflow Vulnerability (CVE-2015-7547)
Date Posted
February 2016
Summary
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() function is used.
Product Status
Verastream Host Integrator is subject to this vulnerability when run on Red Hat Enterprise Linux and SUSE Linux Enterprise Server platforms if the GNU C Library (glibc) installed on the system is between versions 2.9 and 2.22 (inclusive). The vulnerability is fixed in glibc version 2.23.

For information on how to update your Red Hat system, see
https://access.redhat.com/security/cve/cve-2015-7547.

For information on how to update your SUSE system, see

https://www.suse.com/support/update/announcement/2016/suse-su-20160471-1.html.

Additional Information
For vulnerability details, see:

https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
Alert
Unsafe Object Deserialization Vulnerability
Date Posted
December 2015
Summary
Apache Commons Collections (ACC) library version 3.2.1 contains a vulnerability that allows a remote attacker to execute arbitrary code on an unpatched machine that uses JMX.
Product Status
Verastream Host Integrator 7.7.34 and earlier and Verastream Process Designer R6 or earlier include the affected library version, and are vulnerable. To update ACC files in your installation, see Technical Note 10162.

Also, to mitigate this vulnerability, ensure that firewalls are configured to allow connections only from remote clients that specifically require such access. This includes JMX management and configuration ports 33000 and 33001 (for VHI; see also Technical Note

10105) and port 34000 (for VPD).

Additional Information
For vulnerability details, see http://www.kb.cert.org/vuls/id/576313. This vulnerability continues to be a subject of research, so check back for further updates.
Alert
Diffie-Hellman Logjam Vulnerabilities (CVE-2015-4000)
Date Posted
July 2015
Summary
With TLS protocol 1.2, if DHE_EXPORT ciphersuite is supported by the server, man-in-the-middle attackers can conduct cipher-downgrade attacks. Additionally, with any TLS or SSH connection that uses weaker DH Groups (1024 bits or less) for key exchange, an attacker can passively eavesdrop and decrypt sessions.
Product Status
The following information applies to Verastream Host Integrator:

SSH connections

may be vulnerable, depending on the configuration of VHI and the SSH server. To avoid this vulnerability:

* Disable the Group1 algorithm in your model (Connection > Session Setup > Advanced > Key Exchange Algorithms).

* Verify your SSH server does not return a 1024-bit Group when 2048-bit Group Exchange is requested.

TLS connections

are subject to this vulnerability. TLS connections to Verastream offer 1024-bit DH groups, except connections to secure Web Services (port 9681) running on Windows, Linux, or Solaris offer 768-bit DH groups. TLS connections from Verastream (such as to the host) will use the DH group determined by the host configuration. To avoid this vulnerability:

* Configure any (web services) clients to use TLS ciphers that use RSA or ECDH for key exchange.

* Configure the TLS connections on your host to use a 2048-bit DH group.

TLS connections are not vulnerable to the man-in-the-middle attacks, as DHE_EXPORT ciphers are not supported.

Additional Information
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000.
Alert
Apache Xerces-C Denial of Service Vulnerability (CVE-2015-0252)
Date Posted
April 2015
Summary
Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data.
Product Status
The Verastream Host Integrator (VHI) C and COM connectors each have four methods that are possibly affected:

– RecordSetFromXML

– RecordSetToXML

– RecordFromXML

– RecordToXML

Only the C and COM connector APIs are affected. Specifically, VHI web services are
not affected.

The four methods, as well as the vulnerable Xerces-C library, have been removed in VHI 7.7.30 (7.7 Hotfix 2), available to maintained customers from
http://support.attachmate.com/downloads/.
Additional Information
For vulnerability details, see https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0252.
Alert
OpenSSL 19-Mar-2015 Security Release Vulnerabilities
Date Posted
April 2015
Summary
On March 19, 2015, the OpenSSL development team released new libraries that fix eleven reported vulnerabilities. Some of these vulnerabilities might affect Verastream Host Integrator (VHI).
Product Status
The updated OpenSSL library is available for maintained customers in VHI 7.7.30 (7.7 Hotfix 2) from http://support.attachmate.com/downloads/. Note: Some of the issues reported were already fixed in an earlier release.
Additional Information
For vulnerability details, see https://www.openssl.org/news/secadv_20150319.txt.
Alert
Libssh2 vulnerability (CVE-2014-8730)
Date Posted
April 2015
Summary
A libssh2 vulnerability can cause a denial of service (crash) in the Design Tool and Session Server when using SSH.
Product Status
This issue affects Verastream Host Integrator 7.6.1025 (7.6 SP1) through 7.7.27.

If your version of VHI is affected and you are a maintained customer, upgrade to VHI 7.7.30 (7.7 Hotfix 2) from
http://support.attachmate.com/downloads/.
Additional Information
For vulnerability details, see the National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1782.

For the libssh2 Security Advisory, see
http://www.libssh2.org/adv_20150311.html.

For a detailed libssh2 issue ticket, see
https://trac.libssh2.org/ticket/294.
Alert
SSL 3.0 ‘POODLE’ Vulnerability (CVE-2014-3566)
Date Posted
Modified February 2015

October 2014

Summary
A vulnerability in the SSL 3.0 protocol that makes it easier for man-in-the-middle attackers to obtain clear text data via a padding-oracle attack (“POODLE”).
Product Status
– Verastream Host Integrator (VHI) 7.7 is not vulnerable. All use of SSL 3.0 is disabled by default.

– Verastream Host Integrator (VHI) 7.6 SP1 or earlier: Session Server and Design Tool both contain SSL 3.0, but the resulting connections are
not vulnerable to the attack unless connecting to a host that supports SSL 3.0 exclusively (not TLS). The VHI Web Services server (port 9681) also contains SSL 3.0. However, the connection is only vulnerable if you connect to it using a vulnerable browser. Typically, Web Services requests are made using Web Services clients, and these connections are not vulnerable.

– Other VHI components do not use SSL 3.0 and are
not vulnerable.

– Verastream Process Designer (VPD) does not use SSL 3.0 and is
not vulnerable.

– Verastream Bridge Integrator (VBI) contains SSL 3.0, but connections to the server are
not vulnerable.
Additional Information
– In Verastream Host Integrator 7.6 SP1 or earlier, to disable SSL 3.0 in the Session Server and Design Tool, consider enabling FIPS mode. See US FIPS 140-2 Validated Cryptography in Technical Note 10151.

– Before using a browser to make an HTTPS connection to the Verastream Host Integrator Web Services server, disable SSL 3.0 in your browser.

For vulnerability details, see the National Vulnerability Database:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
Alert
Multiple Oracle Java Vulnerabilities Affecting Verastream Host Integrator
Summary
Multiple security issues have been addressed in the latest Oracle Java update. We recommend that you update Verastream Host Integrator on systems running Development Kit or Server Kit, and update Java on any client systems using the Java connector API, or Java web applications generated by Web Builder.

For more information on Java versions installed with VHI, see Technical Note

10030.

Date Posted and Version Affected
January 2015 – Verastream Host Integrator 7.7 installs Java 7 Update 75 (JDK 1.7.0_75) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
June 2014 – Verastream Host Integrator 7.6 SP1 installs Java 7 Update 55 (JDK 1.7.0_55) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
December 2013 – Verastream Host Integrator 7.6 installs Java 7 Update 45 (JDK 1.7.0_45) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
June 2013 – Verastream Host Integrator 7.5 SP1 installs Java 7 Update 21 (JDK 1.7.0_21) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
December 2012 – Verastream Host Integrator 7.5 installs Java 7 Update 9 (JDK 1.7.0_09) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
March 2012 – Verastream Host Integrator 7.1 Service Pack 2 installs Java 6 Update 29 (JDK 1.6.0_29) on Windows, Solaris, and Linux platforms.
Additional Information
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table.
Alert
TLS 1.x padding vulnerability (CVE-2014-8730)
Date Posted
December 2014
Summary
Some TLS implementations omit to check the padding structure after decryption. Such implementations are vulnerable to the POODLE attack even with TLS.
Product Status
Verastream Host Integrator (VHI) is not vulnerable to the attack.

Verastream Process Designer (VPD) is

not vulnerable.

Verastream Bridge Integrator (VBI) is

not vulnerable.

Additional Information
For vulnerability details, see the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730
Alert
VPD Remote Code Execution Vulnerability CVE-2014-0607
Date Posted
July 2014
Summary
By sending a specially crafted request to a web service, it is possible to upload an arbitrary file on the target server, enabling the attacker to execute arbitrary code on the server.
Product Status
This issue affects all versions of Verastream Process Designer (VPD) version R6 SP1 or earlier.

This

issue is resolved beginning in Verastream Process Designer R6 SP1 Hotfix 1 (build 1010). Maintained customers can contact Attachmate Technical Support to obtain the hotfix.

CVSS Version 2.0
Base Score: 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Additional Information
Attachmate would like to thank Andrea Micalizzi (rgod), working with HP’s Zero Day Initiative, for the discovery and responsible reporting of this vulnerability.

For vulnerability details, see the National Vulnerability Database:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0607

Alert
OpenSSL “CCS Injection” Vulnerability CVE-2014-0224
Date Posted
June 2014
Summary
A vulnerability in OpenSSL could allow an attacker with a man-in-the-middle vantage point on the network to decrypt or modify traffic.
Product Status
This issue affects all versions of Verastream Host Integrator version 7.6 or earlier.

This

issue is resolved beginning in Verastream Host Integrator 7.6 SP1 (version 7.6.1026). Maintained customers can download the latest version from the Attachmate Downloads site, http://download.attachmate.com/.

Additional Information
For details and the latest information on mitigations, see the following:

CERT-CC Vulnerability Note VU#978508:
http://www.kb.cert.org/vuls/id/978508

National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224
Alert
OpenSSL “Heartbleed” Vulnerability CVE-2014-0160
Date Posted
April 2014
Summary
A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.
Product Status
This issue affects Verastream Host Integrator version 7.6. Earlier Verastream Host Integrator versions and other Verastream products are not subject to this vulnerability.

This

issue is resolved beginning in Verastream Host Integrator 7.6 Hotfix 3 (version 7.6.49). Maintained customers can download the latest version from the Attachmate Downloads site, http://download.attachmate.com/.

Additional Information
For details and the latest information on mitigations, see the following:

US-CERT Technical Alert:
https://www.us-cert.gov/ncas/alerts/TA14-098A

CERT-CC Vulnerability Note VU#720951:
http://www.kb.cert.org/vuls/id/720951

National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Alert
Multiple RSA BSAFE SSL-J Vulnerabilities Affect Verastream SDK for Unisys and Airlines
Summary
Multiple security issues have been addressed in RSA BSAFE SSL-J module 6.1.2. We recommend that you update to the latest version of Verastream SDK for Unisys and Airlines.
Date Posted and Version Affected
April 2014 – Verastream SDK for Unisys and Airlines 5.0 uses RSA BSAFE SSL-J module 6.1.2.
Additional Information
For details, see the following web sites:

http://www.securityfocus.com/archive/1/526913/100/900/threaded

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0169

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389

Alert
Multiple OpenSSL Vulnerabilities
Date Posted
March 2014
Summary
The ssl3_take_mac function allows remote TLS servers to cause a denial of service via a crafted TLS handshake (CVE-2013-4353).

The ssl_get_algorithm2 function allows remote attackers to cause a denial of service attack via crafted traffic from a TLS 1.2 client (CVE-2013-6449).


Product Status
These issues are resolved beginning in Verastream Host Integrator 7.6 Hotfix 2 (7.6.47). Download the latest version from Attachmate Downloads at http://download.attachmate.com.
Additional Information
For details, see the National Vulnerability Database web site:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4353

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449
Alert
RSA Security Advisory: ESA-2013-068 Crypto-J Default DRBG May Be Compromised
Date Posted
Modified February 2014

January 2014

Summary
RSA strongly recommends that customers discontinue use of the default Dual EC DRBG (deterministic random bit generator) and move to a different DRBG.
Product Status
This issue affects Verastream Host Integrator 7.6, 7.5 SP1, 7.5, and 7.1 SP2; and Verastream Process Designer R6 and R5 SP1. Verastream products on AIX and z/Linux are not affected.
Additional Information
If you wish to change the default pseudo-random number generator (PRNG) used, you can add the following line to the java.security file:

com.rsa.crypto.default.random=HMACDRBG256



This java.security file is found in the following directory:

<installation folder>/java/jdk<version>/jre/lib/security.

Note that the Java version is different depending on the version of the product you have installed. If you have more than one Verastream product installed, you may have to edit more than one file.

For information on Java versions in Verastream, refer to

http://support.attachmate.com/techdocs/10030.html#Java_Requirements.

For more information about this alert, see
http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf.

Alert
Verastream Host Integrator Session Server Vulnerability CVE-2013-3626
Date Posted
Modified November 2013

September 2013

Summary
By sending a specially crafted message to the Verastream Host Integrator Session Server, an unauthenticated remote attacker can execute arbitrary code to gain control of the server.
Product Status
This issue is resolved in Verastream Host Integrator 7.5 SP1 Hotfix 2 or higher (7.5.1038 or higher) and in Verastream Host Integrator 7.1 SP2 Hotfix 7 (7.1.2043). Maintained customers can obtain the latest version from Attachmate Downloads at http://download.attachmate.com..
Additional Information
This vulnerability is posted at the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3626

CERT Coordination Center (CERT/CC) Vulnerability Note VU#436214:

http://www.kb.cert.org/vuls/id/436214

Alert
Multiple Oracle Java Vulnerabilities Affecting Verastream Process Designer
Summary
Multiple security issues have been addressed in the latest Oracle Java update. We recommend that you upgrade Verastream Process Designer to the latest version.
Date Posted and Version Affected
October 2013 – Verastream Process Designer R6 installs Java 7 Update 25 (JDK 1.7.0_25) on Windows, Solaris, and Linux platforms.
Date Posted and Version Affected
May 2013 – Verastream Process Designer R5 SP1 installs Java 7 Update 15 (JDK 1.7.0_15) on Windows, Solaris, and Linux platforms.
Additional Information
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table.
Alert
Vulnerability Summary for CVE-2013-1571
Date Posted
June 2013
Summary
Verastream Host Integrator and Verastream Bridge Integrator contain API documentation in HTML format that was created by Javadoc. Additionally, the Web Builder tool that is part of Verastream Host Integrator will run Javadoc to generate API documentation in HTML format for the some of the code that it generates.

Javadoc HTML pages that were created by the Javadoc Tool that is included with Java 7 Update 21 and earlier, 6 Update 45 and earlier, 5.0 Update 45 and earlier, JavaFX 2.2.21 and earlier contain JavaScript code that fails to parse scheme relative URIs parameters correctly. An attacker can construct a URI that passes malicious parameters to the affected HTML page that causes one of the frames within the Javadoc-generated web page to be replaced with a malicious page.

This vulnerability could be used for phishing or social engineering, or it could be used for browser exploitation if combined with another browser-related vulnerability.


Product Status
Verastream Host Integrator 7.5 SP1 or earlier and Verastream Bridge Integrator R5 SP1 or earlier contain Help pages that are vulnerable. However, these pages are not served on a public web server, but on a local server that listens on an arbitrary (ephemeral) port, making it unlikely that the vulnerability can be exploited.

If you wish to eliminate this vulnerability, you can run the “Java API Documentation Updater Tool” that is available as a separate download from Oracle. Note that in a typical installation, the tool will have to be run with elevated privileges to write into the installed files.

The API documentation in HTML format that is created by Web Builder also contains the problematic JavaScript, but these files are not served on a web server and therefore are

not vulnerable.

Verastream Process Designer is not affected.


Additional Information
For details, see the National Vulnerability Database web site: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1571

CERT Coordination Center (CERT/CC) Vulnerability Note VU#225657:

http://www.kb.cert.org/vuls/id/225657

Oracle’s Java API Documentation Updater Tool:

http://www.oracle.com/technetwork/java/javase/downloads/java-doc-updater-tool-1955731.html

Alert
Vulnerability Summary for CVE-2013-0422
Date Posted
January 2013
Summary
Oracle Java 7 Update 10 or earlier allows remote attackers to execute arbitrary code as exploited “in the wild” and demonstrated by exploit tools such as Blackhole and Nuclear Pack. Note: Oracle states that Java 6 is not affected.

According to Oracle, to be successfully exploited, an unsuspecting user running an affected release in a browser needs to visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and confidentiality of the user’s system. These vulnerabilities are not applicable to Java running on servers or within applications.


Product Status
Verastream products are not subject to this vulnerability, however, to configure Verastream Host Integrator connections to use the Reflection Security Proxy Server (using the Administrative WebStation included in Reflection Administrator, Reflection Security Gateway, or Reflection for the Web, sold separately from Verastream) your browser must have a Java plug-in enabled. It is this JRE plug-in and Java Web Start that can be exploited, not Attachmate products. To minimize the risk described in this vulnerability, you should refer to the latest information provided by Oracle and install a version of Java that addresses this vulnerability. Note: Java used by the browser is a separate installation from the private JDK installed with Verastream Host Integrator; the private JDK is not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422 and Oracle’s site at http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.
Alert
Multiple Apache Tomcat Vulnerabilities
Date Posted
December 2012
Summary
Multiple Tomcat security issues have been addressed in Verastream Host Integrator 7.5.
Product Status
Verastream Host Integrator 7.5 has resolved these security issues by no longer using Tomcat for the VHI Web Server. (The VHI Web Server is used to run Java-based projects generated by Web Builder.) Beginning in Verastream Host Integrator 7.5, other technologies are used instead.
Additional Information
For details about the vulnerabilities in Tomcat, see the Apache web site at http://tomcat.apache.org/security-5.html.
Alert
Multiple Oracle Java Vulnerabilities Affecting Verastream Process Designer
Date Posted
October 2012
Summary
Multiple security issues have been addressed in Oracle Java 7 Update 3 or higher.
Product Status
These issues are resolved in Verastream Process Designer R5 on Windows, Solaris, and Linux platforms, which installs Java 7 Update 4 (JDK 1.7.0_04). Verastream Process Designer R4 installed Java 6 Update 16, and R4+SP1 installed Java 6 Update 26.
Additional Information
For details about the vulnerabilities fixed by Oracle, see the Oracle web site at http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates and scroll to the Java SE Critical Patch Update table.
Alert
Vulnerability Summary for Verastream Denial of Service
Date Posted
October 2011
Summary
A specially crafted network message can cause a denial of service (server restart) in versions of the VHI session server prior to 7.1 SP1.
Product Status
The vulnerability has been fixed in Verastream Host Integrator 7.1 SP1. Other Verastream products are not subject to this vulnerability.
Additional Information
Attachmate would like to thank Mark Goodwin and Bartosz Maciej of Citi UK for discovering and reporting the vulnerability.
Alert
Vulnerability Summary for CVE-2010-3190
Date Posted
October 2011
Summary
Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; and Visual C++ 2005 SP1, 2008 SP1, and 2010 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka “MFC Insecure Library Loading Vulnerability.”
Product Status
In Verastream Host Integrator 7.1 SP1 and Verastream Process Designer R4 SP1, the Microsoft Redistributable Library files for the untrusted search path vulnerability have been updated. Other Verastream products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3190.
Alert
Multiple OpenSSL Vulnerabilities
Date Posted
February 2011
Summary
Multiple OpenSSL vulnerabilities are described in the following: CVE-2010-4252, CVE-2010-4180, and CVE-2010-3864.
Product Status
Attachmate Verastream products, and specifically Verastream Host Integrator, are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4252

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4180

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864
Alert
Vulnerability Summary for CVE-2010-1622
Date Posted
October 2010
Summary
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.
Product Status
Attachmate Verastream products, and specifically Verastream Process Designer, are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1622.
Alert
US-CERT Technical Cyber Security Alert TA10-238A
Date Posted
September 2010
Summary
Due to the way Microsoft Windows loads dynamically linked libraries (DLLs), an application may load an attacker-supplied DLL instead of the legitimate one, resulting in the execution of arbitrary code.
Product Status
Attachmate Verastream products are not subject to this vulnerability
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA10-238A.html.
Alert
OpenSSL cryptographic message syntax vulnerability CVE-2010-742
Date Posted
June 2010
Summary
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors.
Product Status
Attachmate Verastream products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0742.
Alert
OpenSSL RSA verification recovery vulnerability CVE-2010-1633
Date Posted
June 2010
Summary
RSA verification recovery in the EVP_PKEY_verify_recover function in OpenSSL 1.x before 1.0.0a, as used by pkeyutl and possibly other applications, returns uninitialized memory upon failure, which might allow context-dependent attackers to bypass intended key requirements or obtain sensitive information via unspecified vectors.
Product Status
Attachmate Verastream products are not subject to this vulnerability.
Additional Information
For details, see the National Vulnerability Database web site at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1633.
Alert
US-CERT Technical Cyber Security Alert TA09-209A
Date Posted
28-July-2009
Summary
Vulnerabilities present in the Microsoft Active Template Library (ATL) can cause vulnerabilities in the resulting ActiveX controls and COM components, as described in Microsoft Security Bulletin MS09-035 and Microsoft Security Advisory 973882. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable.
Product Status
Verastream Transaction Integrator (VTI) version 4.0 includes the vulnerable Microsoft ATL redistribution. However, as VTI does not use ATL in an ActiveX control, nor is it scriptable, the risk is significantly lessened. To remove the possibility of third-party controls or scripts using the vulnerable ATL, incorporation of the non-vulnerable ATL is planned for the next release of VTI.
Additional Information
For details, see the US-CERT web site at http://www.us-cert.gov/cas/techalerts/TA09-209A.html.
Alert
iDefense Advisory 11.15.05
Date Posted
January 2007
Product Status
For information on this security vulnerability in Verastream Integration Broker version 9.9 or earlier, see Technical Note 10070.

Notice: This technical note is updated from time to time and is provided for informational purposes only. Attachmate makes no representation or warranty that the functions contained in our software products will meet your requirements or that the operation of our software products will be interruption or error free. Attachmate EXPRESSLY DISCLAIMS ALL WARRANTIES REGARDING OUR SOFTWARE INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Related: