Current Security Vulnerabilities In AnyConnect 3.0?

Similar Messages

• Oracle Security Vulnerabilities?

  Hi all,
  We're running many PHP 5.x applications in a distributed environment that use the OCI client to access Oracle 10g databases.
  Our server administration group is migrating to a new server and is refusing to install or support the OCI Instant client under Linux saying it's a security problem. Specifically, they say that the OCI Instant Client is exposed to buffer overflows and stack smashing. Their recommendation? Rewrite all our apps to use another database. Yeah, right.
  They provided me with two sources to explain the issues:
  http://www.dummies.com/WileyCDA/DummiesArticle/id-2900.html
  and
  Re: Problems with libclntsh.so.10.1 and PHP/Apache HTTPD
  Is this really a security problem? If so, what can be done to mitigate the risk?
  Thanks,
  John

  Hi all,
  I thought I’d jump in this thread with a few thoughts.
  Security flaws unfortunately affect software, both commercial and open source. I believe that what sets Oracle apart from many other vendors is the company’s commitment to security. Oracle Software Security Assurance (http://www.oracle.com/security/software-security-assurance.html) includes the most transparent vulnerability remediation policy in the industry. Furthermore, the Critical Patch Update (CPU) process (http://www.oracle.com/technology/deploy/security/alerts.htm) provides a predictable mechanism for the remediation of security vulnerabilities in Oracle software. By comparison, open source involves unpredictable releases of security fixes.
  Now, getting back to the discussion in this thread: as much as we try to prevent vulnerabilities during development, as is the case with all large software products, some make their way into released code. As vulnerabilities are discovered, Oracle fixes them in order of severity and release fixes for them through the Critical Patch Update.
  An attacker could attempt to exploit the unpatched vulnerabilities through OCI or other protocols providing access to the database (This is not specific to OCI). Oracle’s recommendation is therefore to remain current on the Critical Patch Update (the last one was issued on July 17, 2007). Keep in mind that the CPU is cumulative for the database, and applying the most recent CPU will bring you at current security patch level, and this will significantly contribute to improving your organization’s security posture.
  Do not hesitate to contact me if you have questions at [email protected]
  Sincerely
  Eric Maurice
  Manager – Oracle Software Security Assurance

• OSX Security Vulnerabilities - 20 found according to article

  Via Gizmodo, here is an article about a guy finding 20 zero-day security holes in OSX. Zero-day threats refer to security vulnerabilities which do not yet have a fix. At present, Macs are highly resistant but not immune to viruses, but this article does raise a few red flags. Thoughts?
  Article: http://www.h-online.com/security/news/item/Mac-OS-X-safer-but-less-secure-Update -957981.html

  Usually these "security bulletin" type postings are completely bogus. The guy is trying to make a living finding exploits. So, he finds 20 in Mac OS X, and then goes to the media so he can make a name for himself. Most people will say "Wow, 20 exploits! That is a lot, maybe we should be worried. Maybe OS X is not as secure as we think it is."
  But, what is totally missing here that is completely necessary to make a conclusion like that is any semblance of detail. The comments on Giz nailed it already. Are these "exploits" in the core OS, or are they in Flash? Etc. Most importantly, are these "holes" able to be exploited remotely? If I had to guess I would have to say most are not remotely exploitable. So, if this is true, are they really something to worry about? Absolutely not.
  So, the guy holds back the details so that he can get some interest from some company that makes security software. Pay him a nice royalty to provide that information. Or maybe, he's fishing for Apple to hire him so that they can patch those holes. Either way, I'm not sure I can take him seriously.
  And honestly:
  Macs are highly resistant but not immune to viruses
  This statement is false and reads like a journalist trying to cover their bases when they really don't know what they're talking about. OS X is currently immune from viruses by the definition of the word. Of course, there are a couple "trojans" around, but those require you to type in your admin password and install yourself. So, they aren't really a threat at all, at least compared to what we see on Windows.
  --Travis

• Are Security Vulnerabilities fixed by applying Oracle Server Patchsets

  Hi,
  I would like to know whether by applying Oracle Server Patchsets or by upgrading the Oracle Server from one version to another do we overcome the Security Vulnerabilities highlighted in the previous patchset or Oracle Server Version.
  For example if I have an Oracle Server 9.2.0.1 and I apply server patchest 9.2.0.8 do I overcome all the security vulnerabilities highlighted for version 9.2.0.1 and all other intervening versions. Similarly, if I upgrade my Oracle Server 9.2.0.6 to say Oracle Server 10g 10.2.0.3 do I overcome all security vulnerabilites highlighted fro 9.2.0.6 and all other intervening releases.
  Best Regards
  Syed Zaib ul Qamar

  Is there a link; or where can I go to find the types of and/or categories for the security vulnerabilities associated with (past and present) versions of Oracle? I work with a very large team of developers and some are DBAs that perform mainly custom coding in C++ and a little in Ada. I would like to ensure that our team is continually aware of the both past and current Oracle vulnerabilities when developing applications/scripts (designing, coding, reviewing, building, etc.), testing (including security) , quality assurance, packaging, and etc.
  Perhaps, this is a lot to ask; but, this at least a good palce to start.

• Oracle XDK Java removing security vulnerabilities

  Hi All,
  I am looking for removing security vulnerabilities that may be associated with XML parsers.
  I am looking which version of Oracle XDK Java has removed security vulnerabilities associated with XML Parsing.
  Also what is the latest version Oracle XDK Java is present in market.
  Also is new version are backward compatible. Do we need to see is any change in API level occurs.
  Currently we are using Oracle XDK Java 10.2.0.2.
  Just a description of security vulnerabilities that may be associated with XML parsers are
  "The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.:
  Regards
  Atul Parti

  Which JVM is the security tool complaining about (what is the directory path, for example)?
  My guess is that the tool is complaining about the older JVM that Oracle installs in order to run the Oracle Universal Installer and the other Java-based installation tools.  If that's the case, those JVMs do not generally represent a security issue because they are not running anything on a day-to-day basis.  They're only used by things like the OUI which only get invoked when someone wants to do something like install new software.  Ideally, you'd be able to have the conversation with the security folks and explain that those older JVMs exist only for the limited purpose of running the OUI and the other configuration tools. 
  If the security folks want you to upgrade the Java version (as opposed to just installing patches to the older JVMs), that has a decent probability of breaking the various installation and configuration tools.  That may not have much impact on a day-to-day basis but may make administration tasks in the future more challenging. 
  Justin

• IPhone security vulnerabilities ????

  This was sent out to all employees at my local gov offices... anyone know what she is talking about?
  I know iPhones are the latest cool gadget. However, there are security vulnerabilities associated with having them on our network in order to get your e-mail from the Exchange server. We are researching and trying to stay current on the issues and solutions. I do recommend that before you purchase an iPhone with expectations of using County network resources like e-mail, please contact us.
  <Edited by Moderator>

  Security is a 'cool' word to say, we're not sure how we're going to support this, or we don't want you to use it. Essentially this is a cool myth to make people afraid. (think of airport security and the 'orange' alerts we're conditioned to be fearful of)
  If you can get your work email at home via POP, IMAP and/or web access, the iPhone poses no more or less security threat than your home PC or laptop do.
  The only 'security issue' I can really see is that an iPhone is much easier to loose or have stolen, in which case, since there is no password needed to access the emails stored on the phone, someone 'could' view confidential emails stored on the phone, as well as send new emails, until a password is changed on the corporate side.

• One or more ActiveX controls could not be displayed because either:1 your current security settings prohibit running ActiveX controls on this page, or 2. You have blocked a publisher of one of the controls.

  hi All,
  i have one of the requirement for an application, we do upload some release not in file server and that is used in application link to see the note. in this note i have converted the Excel into .HTM format(web page). this was working fine, but from last
  two days all of a sudden we are recieving error as above.
  one or more ActiveX controls could not be displayed because either:1 your current security settings prohibit running ActiveX controls on this page, or 2. You have blocked a publisher of one of the controls.
  could anyone please help me on this.
  Thanks and Regards,
  krishnamurthy

  Hi,
  Actually Arnavsharma provided a operable method for you. But no luck, it's not invalid.
  Here I also offer you an method you can try.Please delete the extra (parasite) zone from the Zones subkey :
  Click Start , click Run , type regedit , and then click OK
  Expand the following registry subkey
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
  Delete the extra (parasite) zone from the Zones subkey
  Note: The parasite zone is a pseudo-graphic number listed before zone number 0. The pseudo-graphic number looks like a miniature upper case "L"
  Close the registry editor
  Thanks!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• The server principal "XYuser" is not able to access the database "Ydb" under the current security context

  SQL2005 on winserver 2003. I have a view in Xdb that accesses tables in 2 different databases (Xdb and Ydb) on the same server. I have mixed mode security. I have a SQL user (XYuser) that has read access to all tables and views on both databases, yet when I try to access the view using a C# windows application I get the following error:
  The server principal "XYuser" is not able to access the database "Ydb" under the current security context
  This same scenario works under SQL 2000. I looked through the postings and tried to set TRUSTWORTHY ON on both databases but that didn't help. I can access any other views or tables on the SQL 2005 server, just not the one that joins the tables cross databases. Any help is much appreciated... john

  This appears to be a Login/Database Mapping issue.  I was having this problem, but was able to resolve it as follows:
  Using the SQL Server management Studio:
  In the Object explorer, under the SERVER security folder (not the database security folder), expand Logins. 
  That is: ServerName -> Security -> Logins
  NOT: ServerName -> Databases -> DatabaseName -> Security -> Users
  Select the Login that is having the troubles.  Right click on the Login and select ‘Properties.’
  The ‘User Mapping’ page should list all databases on the server with a check mark on the databases that the Login has been mapped to.  When I was getting the error, the database in question was not checked (even though the Login was assigned as a User on the database itself).  Map the Login by checking the box next to the database name.  Set the default schema.  Then select the roles for the Login in the Database role membership list box.  I selected db_datareader and public.  After clicking OK to save the changes, the problem was resolved.
  In order to ‘Map’ the Login, the Login must not already be as User on the database, so you may have to go to the database security (ServerName -> Databases -> DatabaseName -> Security -> Users) and delete the Login from the list of database Users before mapping the Login to the database.

• Java 1.4.2 Security Vulnerabilities

  Hello,
  I'm looking for a link that lists the security vulnerabilities of Java 1.4.2 and I am having trouble finding a comprehensive list. Our security officer doesn't want us using 1.4.2 because of security vulnerabilities and I want to confirm what they are. But, I have not seen any report of what these issues are. This relates specifically to our Java version in relation to our Discoverer Plus use. Does anyone have a link of known Java 1.4 security issues?
  Thanks!

  Check this
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1

• Current Security Context Not Trusted When Using Linked Server From ABAP

  Hello,
  I am experiencing a head-scratcher of a problem when trying to use a Linked Server connection to query a remote SQL Server database from our R/3 system.  We have had this working just fine for some time, but after migrating to new hardware and upgrading OS, DBMS, and R/3, now we are running into problems.
  The target database is a named instance on SQL Server 2000 SP3, Windows 2000 Server.  The original source R/3 system was 4.7x2.00, also on SQL Server 2000 (SP4), Windows 2000 Server.  I had been using a Linked Server defined via SQL Enterprise Manager (actually defined when the source was on SQL Server 7), which called an alias defined with the Client Network Utility that pointed to the remote named instance.  This alias and Linked Server worked great for several years.
  Now we have migrated our R/3 system onto new hardware, running Windows Server 2003 SP1 and SQL Server 2005 SP1.  The application itself has been upgraded to ECC 6.0.  I performed the migration with a homogeneous system copy, and everything has worked just fine.  I redefined the Linked Server on the new SQL 2005 installation, this time avoiding the alias and referencing the remote named instance directly, and it tests out just fine using queries from SQL Management Studio.  It also tests fine with OSQL called from the R/3 server console, both when logged on as SAPServiceSID with a trusted connection, and with a SQL login as the schema owner (i.e., 'sid' in lowercase).  From outside of R/3, I cannot make it fail.  It works perfectly.
  That all changes when I try to use the Linked Server within an ABAP application, however.  The basic code in use is
  EXEC SQL.
     SET XACT_ABORT ON
     DELETE FROM [SERVER\INSTANCE].DATABASE.dbo.TABLE
  ENDEXEC.
  The only thing different about this code from that before the upgrade/migration is the reference to [SERVER\INSTANCE] which previously used the alias of just SERVER.
  The program short dumps with runtime error DBIF_DSQL2_SQL_ERROR, exception CX_SY_NATIVE_SQL_ERROR.  The database error code is 15274, and the error text is "Access to the remote server is denied because the current security context is not trusted."
  I have set the "trustworthy" property on the R/3 database, I have ensured SAPServiceSID is a member of the sysadmin SQL role, I've even made it a member of the local Administrators group on both source and target servers, and I've done the same with the SQL Server service account (it uses a domain account).  I have configured the Distributed Transaction Coordinator on the source (Win2003) system per Microsoft KB 839279 (this fixed problems with remote queries coming the other way from the SQL2000 system), and I've upgraded the system stored procedures on the target (SQL2000) system according to MS KB 906954.  I also tried making the schema user a member of the sysadmin role, but naturally that was disastrous, resulting in an instant R/3 crash (don't try this in production!), so I set it back the way it was (default).
  What's really strange is no matter how I try this from outside the R/3 system, it works perfectly, but from within R/3 it does not.  A search of SAP Notes, SDN forums, SAPFANS, Microsoft's KnowledgeBase, and MSDN Forums has not yielded quite the same problem (although that did lead me to learning about the "trustworthy" database property).
  Any insight someone could offer on this thorny problem would be most appreciated.
  Best regards,
  Matt

  Good news! We have got it to work. However, we did it in something of
  a backwards way, and I'm sure you'll laugh when you see how it was done. Also, the solution depends upon the fact that the remote server is still using SQL Server 2000, and so doesn't have quite so many restrictions placed upon it for distributed transactions and Linked Servers as SQL Server 2005 now does.
  At the heart of the solution is the fact that the Linked Server coming FROM the remote server TO our SAP system works fine. Finally, coupled with the knowledge that using DBCON on the SAP side to the remote server also does actually provide a connection (see Notes 323151 and 738371), we set up a roundabout way of achieving our goal. In essence, from ABAP, we set up the DBCON connection to the remote server, at which point all the Native SQL commands execute in the context of the remote server. From within that connection, we
  reference the tables in SAP via the Linked Server defined on the remote
  server, as if SAP were the remote server, selecting data from SAP and inserting it into the remote (but apparently local to this connection) tables.
  So, to spell it out, we define a Linked Server on the remote server pointing back to the SAP server as SAPSERV, with a SQL login mapping defined on the remote system pointing back to a SQL login in the SAP database. We also define a connection to the remote server from SAP using DBCON, using that remote SQL login for authentication.
  Then, in our ABAP code, we simply do something along the lines of
  exec sql.
     set connection 'REMOTE'
  endexec.
  exec sql.
     connect to 'REMOTE'
  endexec.
  exec sql.
     insert into REMOTE_TABLE
        select * from SAPSERV.SID.sid.SAP_TABLE
  endexec.
  exec sql.
     commit
  endexec.
  exec sql.
     disconnect 'REMOTE'
  endexec.
  This is, of course, a test program, but it demonstrated that it worked,
  and we were able to see that entries were appropriately deleted and inserted in the remote server's table. The actual program for use is a little more complex, in that there are about four different operations at different times, and we had to resolve the fact that the temp table SAP_TABLE was being held in a lock by our program, resulting in a deadly embrace, but our developer was able to work that out, and all is now well.
  I don't know if this solution will have applicability to any other customers, but it works for us, for now.
  SAPSERV, REMOTE, REMOTE_TABLE, and SAP_TABLE are, of course, placeholder names, not the actual server or table names, so as not to confuse anyone.
  Best regards,
  Matt

• Your current security settings do not allow this file....

  Trying to download the latest version of iTunes and get the message "Your current security settings do not allow this file to be downloaded." I have made no changes at all, previous to attempting to download this update and have never had a download problem previous to this. I turned off my antivirus and set my browser security to its' lowest security level; still get the same message.

  Uh...that would be a tad difficult. I'm not supposed to have it. No one is...yet. I keep in touch with a friend I worked with as a PC tech about 10 years ago at a Best Buy (while in college.) He does Beta testing, sends me odds and ends (that typically wreck my system) and this one halfway works (actually less than half the features.) But, I've escaped bad software in the past using it. Sometimes, however, it prevents good software from loading as well. That's why I have asked if anyone else reported this kind of thing.
  The name, if you can find it, is 'Illegal Opcodes Anti-Trash.' Illegal Opcode is a screen name, by the way. And, it was written using Visual Basic. That's about all I can give you; that's pretty much all I know.
  If anyone else can verify something similar to this, let me know. I could uninstall it (Anti-Trash) and try again, but I just read other peoples problems and I'm a little leary to say the least. My current version of iTunes still works fine, so why risk it.
  Thanks for the feedback,
  Bradley

• Why doese this message appear"Your current security settings don't allow this file to be downloaded"

  no one helped me in this post, why Adobe Company doesn't have an answer to my question?
  please, i need your help
  "Dear Helpers,
  We used to use adobe reader 6 in our foundation to view pdf files on the internet, and since we had upgraded to the new version of adobe (to adobe 7 and X) the browser (IE 8) couldn't open any pdf file, and always returning this message: "Your current security settings do not allow this file to be downloaded".
  we have a group policy that doesn't allow the users to download files from the internet, but when we were using adobe reader 6, this message have not occurred while opening pdf file online, and everything was fine,"
  Please help me in this issue
  Thanks in advance
  Kind regards

  Hi eleanora27327971,
  I don't think there's a problem with the PDF file that you converted--that sounds more like a browser setting. What browser are you using? Are you able to download files from other websites? Or, are you able to log in to https://cloud.acrobat.com using a different web browser, and download from that browser? (See System requirements | Acrobat.com for a list of supported web browsers.)
  Tell me a bit more about your setup (what operating system, browser and version), and I should be able to point you in the right direction.
  Best,
  Sara

• Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

  i am using a custom binding in the BTS Adapter with the following elements (similar to TransportWithMessageCredential with both the client and the server certs)
   encoding (soap11)
   https transport
  Security : CertificateOverTransport
  Problem: the request is sent successfully, but when i receive the response in BizTalk i get the following error
  System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. ,after turning on tracing in the WCF Trace the following error is present "Tokens of that type
  cannot be accepted according to current security settings. "
  Solutions tried
  1) Changed the security to MutualCertificate , this time request also fails with the following error message  The remote endpoint did not provide a domain name system (DNS) claim and therefore did not satisfied DNS identity 'xxxx.com'.
  This may be caused by lack of DNS or CN name in the remote endpoint X.509 certificate's distinguished name.
  Binding configuration
   <behaviors>
        <endpointBehaviors>
          <behavior name="EndpointBehavior">
            <clientCredentials>
              <clientCertificate findValue="XXXXXXXXXXXXXXX" x509FindType="FindByThumbprint" />
              <serviceCertificate>
                <defaultCertificate findValue="XXXXXXXXXXXX" storeName="TrustedPeople" x509FindType="FindByThumbprint" />
                <authentication certificateValidationMode="None" revocationMode="NoCheck" />
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
        <serviceBehaviors>
          <behavior name="ServiceBehavior" />
        </serviceBehaviors>
      </behaviors>
      <bindings>
        <customBinding>
          <clear />
          <binding name="XXXXXXXXX">
            <textMessageEncoding messageVersion="Soap11" />
            <security allowSerializedSigningTokenOnReply="true" authenticationMode="CertificateOverTransport" requireDerivedKeys="false" securityHeaderLayout="Lax" messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
  requireSecurityContextCancellation="false">
              <secureConversationBootstrap />
            </security>
            <httpsTransport />
          </binding>
        </customBinding>
      </bindings>
  Thanks -Madhu

  Please refer to the similar discussion:
  http://social.msdn.microsoft.com/Forums/en-US/6a3d38ee-30ca-43fb-b906-6e95808df69d/cannot-find-a-token-authenticator-for-the-systemidentitymodeltokensx509securitytoken-token?forum=wcf

• OSX Security Vulnerabilities - 20 found according to this article

  Via Gizmodo, here is an article about a guy finding 20 zero-day security holes in OSX. Zero-day threats refer to security vulnerabilities which do not yet have a fix. At present, Macs are highly resistant but not immune to viruses, but this article does raise a few red flags. Thoughts?
  Article: http://www.h-online.com/security/news/item/Mac-OS-X-safer-but-less-secure-Update -957981.html

  I've reposted this message in the "Using Mac OS X 10.6 Snow Leopard" forum. I posted here out of habit. I could not see how to delete the message, so please refer to this thread instead:
  http://discussions.apple.com/thread.jspa?threadID=2371811&tstart=0

• How to disable security warning "Your current security settings put your computer at risk"

  Hi,
  I wonder if able to disable the security warning bar at the bottom of the IE window.  I enabled the ActiveX control and plug-ins in the IE Option settings, this caused the  security warning "Your current security settings put
  your computer at risk" pop up whenever load the pages.  Is there a way can turn off this warning?
  Thanks a lot for helping!

  That is not an option for Koreans...
  In Korea, most of commercial, financial, or governmental operations need to be done on the Internet. In early 2000's, IE could not support high security outside US due to US laws (that was stupid, but happened) , so Korean sites developed cryptography ActiveX
  controls to circumvent it. Korean government made laws to force all sites to use those kind of ActiveX controls at that time.
  A decade has passed, and now the stupid US law has been repealed. But the cryptography ActiveX industry has become so strong (probably bribing the high officers in the government), that all Korean sites are still using those kind of ActiveX controls. And
  you know, they require Windows and IE. Recently some sites started to support other browsers, but still the majority requires IE and ActiveX.
  So, if you live in Korea, you have no choice but to use IE on Windows to get things done, and almost all sites popup ActiveX installation dialogues constantly. If you do not change the security settings, when you approve the installation, the whole site
  refreshes. That is time-consuming and frustrating. 
  To keep my mental heath, I deal with all Korean sites in a virtual machine. To avoid the refresh problem, I have changed the security settings from "prompt" to "enable". The "Your security is at risk..." banner at the bottom
  of IE is surely annoying. I hope Microsoft let us either remove that banner or remove the support of ActiveX controls altogether.