• KDump Helper

    We're proud to introduce a new Red Hat Access Labs app: KDump Helper. KDump is a reliable kernel crash-dumping mechanism that captures crash dumps for troubleshooting issues like kernel crashes, hangs, and reboots. Setting up KDump usually requires a series of steps and configurations. We developed the KDump Helper app to simplify the process and reduce the effort required to set KDump up on your machines. Input a minimum amount of information and this app will generate an all-in-one script for...
    Posted 2014-04-04T03:27:36+00:00 - 1
  • Welcome to the New Customer Portal Blogs!

    With this latest site release for the Red Hat Customer Portal, we're adding a new blog feature that we're very excited about. These blogs give us the ability to provide a unique channel of information and interaction to you, our customers. You'll have the opportunity to stay up to date on our various products and services, and we encourage you to share your ideas and suggestions with our various Red Hat contributors. The initial set of Customer Portal blogs covers areas such as security,...
    Posted 2014-04-03T22:10:28+00:00 - 2
  • Java Embedded Vulnerability Detector

    Introducing a New Access Labs App: Java Embedded Vulnerability Detector Upload your JAR (or class) files and this app will tell you if any of your files match one of the many publicly distributed files that the Red Hat Security team has identified as containing a known security flaw, or CVE.. A CVE is an item in a list of known vulnerabilities in all software. It provides a common way for people from different organizations to identify a particular known vulnerability. Often when building your...
    Posted 2014-04-01T17:48:12+00:00 - 3
  • The Right Performance Tool for the Task

    As an engineer who works on performance tools at Red Hat, I often get seemingly simple questions along the lines of, "How do I get performance tool X to collect Y data?" Unfortunately, many times the answer is that "tool X does not measure Y." This leads to a dicussion about the performance problem being investigated. With additional background information, it becomes much easier to suggest more promising tools and techniques to get the desired measurements. Given the number of performance...
    Posted 2014-03-31T18:04:57+00:00 - 0
  • Determining Whether an Application Has Poor Cache Performance

    Modern computer systems include cache memory to hide the higher latency and lower bandwidth of RAM memory from the processor. The cache has access latencies ranging from a few processor cycles to 10 or 20 cycles, rather than the hundreds of cycles needed to access RAM. If the processor must frequently obtain data from the RAM rather than the cache, performance will suffer. With Red Hat Enterprise Linux 6 and later distributions, the system use of cache can be measured with the perf utility...
    Posted 2014-03-26T20:39:35+00:00 - 0
  • Examining Huge Pages or Transparent Huge Pages Performance

    All modern processors use page-based mechanisms to translate the user-space processes virtual addresses into physical addresses for RAM. The pages are commonly 4KB in size, and the processor can hold a limited number of virtual-to-physical address mappings in the Translation Lookaside Buffers (TLB). The number of TLB entries ranges from tens to hundreds of mappings. This limits a processor to a few megabytes of memory it can address without changing the TLB entries. When a virtual-to-physical...
    Posted 2014-03-26T20:35:16+00:00 - 0
  • Enhance application security with FORTIFY_SOURCE

    The FORTIFY_SOURCE macro provides lightweight support for detecting buffer overflows in various functions that perform operations on memory and strings. Not all types of buffer overflows can be detected with this macro, but it does provide an extra level of validation for some functions that are potentially a source of buffer overflow flaws. It protects both C and C++ code. FORTIFY_SOURCE works by computing the number of bytes that are going to be copied from a source to the destination. In...
    Posted 2014-03-26T13:30:10+00:00 - 0
  • Introducing Red Hat Access Labs!

    We are thrilled to announce Red Hat Access Labs! Red Hat Access Labs is a new way for Red Hat engineers to deliver tools to help improve performance, quickly troubleshoot issues, identify security problems, or assist with any other issue we see our customers experiencing in their IT environments. Go to the Access Labs landing page to check out the five applications we've launched so far. Here's the inaugural group: SCSI Decoder: Quickly detect, decode, and resolve SCSI error messages...
    Posted 2014-03-19T13:32:12+00:00 - 3
  • The trouble with snprintf

    At least historically, misuse of functions like strcpy, strcat, and sprintf was a common source of buffer overflow vulnerabilities. Therefore, in 1997, the Single UNIX Specification, Version 2, included a new interface for string construction that provided an explicit length of the output string: snprintf. This function can be used for string construction with explicit length checking. Originally, it could be used in the following way: /* buff is a pointer to a buffer of blen characters...
    Posted 2014-03-12T13:30:40+00:00 - 0
  • Security audits through reimplementation

    For many networking protocols and file formats exist which interoperate with each other. Developing an implementation for a protocol or format diverges from previous implementations in subtle ways, at least initially. Such differences can uncover previously unnoticed corner cases which are not handled properly, and sometimes reveal security vulnerabilities. For example, in the mid-90s, it was discovered that Samba's SMB client, smbclient, did not restrict user name length in the same way...
    Posted 2014-02-26T14:30:23+00:00 - 0
  • Embedded Vulnerability Detection command line tool

    The Victims project is a Red Hat initiative that aims to detect known vulnerable dependencies in Java projects and deployments. Our initial focus was Java projects that were built using Maven. The victims-enforcer plug-in for Maven provides developers with immediate feedback if any of their project dependencies contain known vulnerabilities. However, until recently we did not have a good solution for scanning deployments or tools that work outside of a typical build and release cycle. The alpha...
    Posted 2014-02-05T14:30:45+00:00 - 0
  • Java deserialization flaws: Part 2, XML deserialization

    All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. In the first part of this two-part series, we looked at some of the unexpected security consequences which can arise from usage of binary deserialization in Java applications. This second part of the series will focus on security issues related to XML deserialization. XML Deserialization An alternative approach to Java's native binary serialization is...
    Posted 2014-01-23T14:30:05+00:00 - 0
  • CWE Vulnerability Assessment Report 2013

    Common Weakness Enumeration (CWE) is a list or dictionary of common software weaknesses. Red Hat has adopted CWE as a common language for describing and classifying vulnerabilities, used as a base for evaluation and prevention of weaknesses. Results of classifications are reviewed periodically and are used to direct our efforts in strengthening security of development practices, tools, assessment services, education programs and documentation. As a part of this effort Red Hat Customer Portal...
    Posted 2014-01-15T14:30:10+00:00 - 0
  • Securing Openstack's Dashboard using Django-Secure

    When it comes to security it is an unfortunate reality that technologies are rarely straight forward to use or easy to deploy. So it is quite refreshing to find something that breaks that mould. There is a fantastic project called django-secure which I believe does just this. The idea is to provide a way to enforce secure defaults for django projects. It achieves this in two key ways. The first being a deployment check that you can run as a part of typical django-admin manage.py workflow, the...
    Posted 2014-01-08T14:30:48+00:00 - 0
  • TLSv1.1 and TLSv1.2 now available in RHEL

    Background In the mid-1990s Secure Sockets Layer (SSL) was introduced for securing network communications.  The released version, version 2, contained several security holes and was quickly updated to version 3.  Transport Layer Security (TLS) became the next generation of PKI-based network encryption and was released in January of 1999. Since the release of TLSv1, many changes have happened to both the development of TLS and the known attacks against the cryptographic protocol.  TLSv1.1 and...
    Posted 2013-12-11T13:30:32+00:00 - 0
  • November: What have we been doing for you?

    The Red Hat Product Security Team is constantly working behind the scenes to protect our customers.  Here are just a few things that we’ve been working on in November: victi.ms project - We're now using victi.ms data to help check our JAR files for embedded vulnerabilities.  This helps identify vulnerabilities and keeps them out of Red Hat products. Security Feature Matrix – We reported on the Security Feature Matrix last month and we continue to do research and make changes in our products...
    Posted 2013-12-04T14:30:00+00:00 - 0
  • Enterprise Linux 6.4 to 6.5 risk report

    Red Hat Enterprise Linux 6.5 was released last week (November 2013), nine months since the release of 6.4 in February 2013. In this report we take a look back over the vulnerabilities and security updates since that last update, specifically for Red Hat Enterprise Linux 6 Server. Red Hat Enterprise Linux 6 is in its fourth year since release, and will receive security updates until November 30th 2020. Errata count The chart below illustrates the total number of security updates issued for Red...
    Posted 2013-11-27T13:00:55+00:00 - 0
  • Java Deserialization Flaws: Part 1, Binary Deserialization

    Serialization is a feature of programming languages that allows the state of in-memory objects to be represented in a standard format, which can be written to disk or transmitted across a network. Java includes powerful serialization capabilities as a core feature of the language. All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. Serialization is now widely used in Java applications as a mechanism...
    Posted 2013-11-20T14:30:20+00:00 - 0
  • Automated auditing the system using SCAP

    We live in an electronic age. Nowadays, more and more manifestations of human identity are available via electronic media. Besides advantages, this facility brings challenges to us as well. As computer systems are getting more capable and complex, it is ever more important to set and keep the underlying computer system secure against security threats. The objective to secure a computer system is a complex and continuous process. Besides the requirement the system to be designed with security in...
    Posted 2013-11-13T14:30:19+00:00 - 0
  • October: What have we been doing for you?

    The Red Hat Product Security Team is constantly working behind the scenes to protect our customers.  Here are just a few things that we've been working on in October: Auditing packages - One of the big tasks our team members work on is reviewing software packages to make sure they meet our high standards. Prelink is dead - We worked closely with the Fedora community to have prelink removed from the distribution (by default).  Prelink disables address space layout randomization (ASLR) which...
    Posted 2013-11-06T14:30:37+00:00 - 0
  • Debugging stack protector failures

    Co-contributors: Dhiru Kholia and Florian Weimer GCC upstream and Fedora 19 recently improved the stack smashing protector. Each time we add more security instrumentation, we also uncover some previously hidden bugs. This post shows how to debug stack protector failures. Our example debugging session is based on a GNOME bug report for Evolution. Vadim Rutkovsky reported that Evolution 3.9.4 in Fedora rawhide crashed during the initial setup when built with -fstack-protector-strong flag. The...
    Posted 2013-10-23T13:30:01+00:00 - 1
  • Symmetric Encryption

    So far we have looked at what cryptography is and have taken a brief look at the history of cryptography; it's time for us to take a dive into how cryptography works. Cryptography often involves two important and complimentary processes called encryption and decryption. The process of encryption and decryption involves a secret key which is known only to the sender and the receiver of the message. Needless to say, the secrecy of the message depends on the secrecy of the key. This is analogous...
    Posted 2013-10-16T13:30:23+00:00 - 0
  • Enterprise Linux 5.9 to 5.10 risk report

    Red Hat Enterprise Linux 5.10 was released this month (October 2013), ten months since the release of 5.9 in January 2013. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Red Hat Enterprise Linux 5 is in its seventh year since release, and will receive security updates until March 31st 2017. Errata count The chart below illustrates the total number of security updates...
    Posted 2013-10-09T13:30:29+00:00 - 0
  • We are not who we are

    In authentication, we generally talk about three "factors" for determining identity. A "factor" is a broad category for establishing that you are who you claim to be. The three types of authentication factors are: Something you know (a password, a PIN, the answer to a "security question", etc.) Something you have (an ATM card, a smart card, a one-time-password token, etc.) Something you are (your fingerprint, retinal pattern, DNA) Historically, most people have used the first of these three...
    Posted 2013-10-02T13:30:01+00:00 - 0
  • Reproducible Builds for Fedora

    It should be possible to reproduce every build of every package in Fedora (strong, long-term goal).  It should be possible for the users to verify that the binary matches what the source intended to produce, in an independent fashion. This is the basic nature of open source, the source code is available, so what can we do with it? I want to be able to show that our binary was the result of our source code from our compiler and nobody added anything to the binary along the way. Can we show that...
    Posted 2013-09-18T13:30:32+00:00 - 0

Pages