November: What have we been doing for you?
The Red Hat Product Security Team is constantly working behind the scenes to protect our customers. Here are just a few things that we’ve been working on in November: victi.ms project - We're now using victi.ms data to help check our JAR files for embedded vulnerabilities. This helps identify vulnerabilities and keeps them out of Red Hat products. Security Feature Matrix – We reported on the Security Feature Matrix last month and we continue to do research and make changes in our products...Enterprise Linux 6.4 to 6.5 risk report
Red Hat Enterprise Linux 6.5 was released last week (November 2013), nine months since the release of 6.4 in February 2013. In this report we take a look back over the vulnerabilities and security updates since that last update, specifically for Red Hat Enterprise Linux 6 Server. Red Hat Enterprise Linux 6 is in its fourth year since release, and will receive security updates until November 30th 2020. Errata count The chart below illustrates the total number of security updates issued for Red...Java Deserialization Flaws: Part 1, Binary Deserialization
Serialization is a feature of programming languages that allows the state of in-memory objects to be represented in a standard format, which can be written to disk or transmitted across a network. Java includes powerful serialization capabilities as a core feature of the language. All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. Serialization is now widely used in Java applications as a mechanism...October: What have we been doing for you?
The Red Hat Product Security Team is constantly working behind the scenes to protect our customers. Here are just a few things that we've been working on in October: Auditing packages - One of the big tasks our team members work on is reviewing software packages to make sure they meet our high standards. Prelink is dead - We worked closely with the Fedora community to have prelink removed from the distribution (by default). Prelink disables address space layout randomization (ASLR) which...Symmetric Encryption
So far we have looked at what cryptography is and have taken a brief look at the history of cryptography; it's time for us to take a dive into how cryptography works. Cryptography often involves two important and complimentary processes called encryption and decryption. The process of encryption and decryption involves a secret key which is known only to the sender and the receiver of the message. Needless to say, the secrecy of the message depends on the secrecy of the key. This is analogous...Enterprise Linux 5.9 to 5.10 risk report
Red Hat Enterprise Linux 5.10 was released this month (October 2013), ten months since the release of 5.9 in January 2013. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Red Hat Enterprise Linux 5 is in its seventh year since release, and will receive security updates until March 31st 2017. Errata count The chart below illustrates the total number of security updates...We are not who we are
In authentication, we generally talk about three "factors" for determining identity. A "factor" is a broad category for establishing that you are who you claim to be. The three types of authentication factors are: Something you know (a password, a PIN, the answer to a "security question", etc.) Something you have (an ATM card, a smart card, a one-time-password token, etc.) Something you are (your fingerprint, retinal pattern, DNA) Historically, most people have used the first of these three...Reproducible Builds for Fedora
It should be possible to reproduce every build of every package in Fedora (strong, long-term goal). It should be possible for the users to verify that the binary matches what the source intended to produce, in an independent fashion. This is the basic nature of open source, the source code is available, so what can we do with it? I want to be able to show that our binary was the result of our source code from our compiler and nobody added anything to the binary along the way. Can we show that...Tweaking integer overflows
Integer overflows when calculating the memory size for data structures (such as to hold image data from an image file) is a common source of security vulnerabilities. Often, such integer overflows are initially reported as denial-of-service issues, as the result of an arbitrarily large memory allocation. But with some tweaking, they can be turned into the successful allocation of a memory area that is too small because the integer overflow results in the wrong computed allocation size....Apache Tomcat and JBoss Web security flaws
Apache Tomcat and JBoss Web are two closely-related components that have a large amount of code in common. This article explains the difference between these components and examines how security flaws affect them. Apache Tomcat and JBoss Web Apache Tomcat is a popular open source implementation of the Java Servlet and JavaServer Pages specifications. It is commonly used as a container to host Java-based web applications. Tomcat is distributed as part of both Red Hat Enterprise Linux and Red Hat...Reporting security flaws for OpenJDK 6
Oracle has announced that it no longer provides public updates to their proprietary Oracle Java SE 6, as of February 2013. These updates, which may include security patches, are now only available to users of Oracle Java SE 6 who have a commercial support agreement with Oracle. Users who have a need for support on Java SE 6 and are not willing to consider commercial support from Oracle have another choice. Red Hat recently assumed a leadership role for the OpenJDK 6 project. OpenJDK is an open...CWE Coverage for Red Hat Customer Portal
This is part three of a three-part series on CWE usage within Red Hat. Part one discussed vulnerability assessment for secure software development while part two discussed the CWE compatibility for the Red Hat Customer Portal. This part will discuss the CWE coverage for the Red Hat Customer Portal. CWE has different views for different audiences and purposes. In the early stages of development, CWE only had one hierarchical representation, which originated the current Development Concepts View...CWE Compatibility for Red Hat Customer Portal
This is part two of a three-part series on CWE usage within Red Hat. Part one, Outside-in Vulnerability Assessment for Secure Software Development discussed the role of CWE in our own outside-in methodology. This part will discuss the Red Hat engagement for CWE compatibility and how CWE identifiers are assigned to Red Hat vulnerabilities. We have engaged in the CWE Compatibility and Effectiveness Program and worked towards fulfilling its requirements for using CWE in our own outside-in...Outside-in Vulnerability Assessment for Secure Software Development
Outside-in vulnerability assessment for secure software development is a process for identifying and eliminating some of the most dangerous and potentially exploitable weaknesses in your existing products and projects. Some well-known secure software development methodologies have their security practices grouped into phases, from training to response. However, you may have your main product already within the response phase, whereas its development was not done practicing secure software...Battling open resolvers
A recent blog by ISC discussed Is Your Open DNS Resolver Part of a Criminal Conspiracy? The problem is that open recursive DNS servers can be used by attackers to attack victims as part of distributed denial of service (DDOS) attacks. This type of attack is generally known as a DNS amplification attack. Due to the nature of the DNS protocol, a very small request can be sent as a UDP packet, and since UDP is not a stateful protocol, the sender information can be faked. The open DNS resolver will...Anatomy of a Red Hat Security Advisory
Red Hat Security Advisories (RHSA) document the security flaws being fixed in Red Hat products. They include: The affected products the advisory applies to. The security rating of the update (low, moderate, important, critical). A brief description of the flaws being fixed. How an attacker could exploit the issues, such as whether they need privileges or not. Any manual action that may be required, such as restarting applications that use an affected library, or configuration file changes. In...Enterprise Linux 6.3 to 6.4 risk report
Red Hat Enterprise Linux 6.4 was released last week, eight months since the release of 6.3 in June 2012. In this report we take a look back over the vulnerabilities and security updates since that last update, specifically for Red Hat Enterprise Linux 6 Server. Errata count The chart below illustrates the total number of security updates issued for Red Hat Enterprise Linux 6 Server if you had installed 6.3, up to and including the 6.4 release, broken down by severity. It's split into two...Red Hat Secure Development Videos
Red Hat products are used by many organizations in some of the most secure computing environments in the world. We have relationships and collaborations with many U.S. Government agencies, stock exchanges, banks, and health care companies. As a result, the topic of secure coding is discussed both internally and with our partners and customers on a regular basis in an effort to create the needed resources to make secure coding an everyday practice. To make secure coding work we understand that...How Red Hat uses CVSSv2 Scoring to assist in rating flaws
Red Hat rates all security flaws using a four-point scale: critical, important, moderate, and low. A number of factors contribute to this rating: How easily can a flaw be exploited? What kind of damage can be done if exploited? Are there typically other factors involved that lower the impact of the flaw (such as firewalls, Security-Enhanced Linux, compiler directives, and so forth)? CVSSv2 (Common Vulnerability Scoring System version 2.0) can also help to determine the rating. Out of all of...A minimal security response process
This blog post outlines a lightweight security response process for community upstream projects: What you (as a project maintainer or contributor) can do to be prepared for incoming reports of security vulnerabilities, and to eventually respond with a security update. This is purely reactive - it is not about not shipping vulnerable code in the first place. But it is an important step in the right direction, and one that requires relatively little effort. Release engineering Without a minimal...Detecting vulnerable Java dependencies at build time
Background Java is a very popular programming language. Two key reasons for its popularity are security and the availability of a huge ecosystem of libraries and components. Since most Java applications make use of a wide range of libraries, which in turn have dependencies on other libraries, it is difficult to ensure the integrity of these applications from a security perspective. A recent study by Aspect security has revealed the significance of this problem. This study found that 26% of...How Red Hat ships JBoss security updates
JBoss security updates When security flaws are discovered in JBoss products, the Red Hat Security Response Team works to resolve them on a prioritized basis. Flaws are rated according to a four-point scale: low, moderate, important, and critical. For details on the process of rating flaws, refer to How Red Hat rates JBoss security flaws. Flaws of low impact are typically deferred, to be resolved in the next minor release of the affected products. Flaws of moderate or higher impact are typically...Red Hat is now CWE Compatible
Red Hat is pleased to announce it has attained Common Weakness Enumeration (CWE) compatibility. The CWE Compatibility and Effectiveness Program is a formal review and evaluation process for declaring products and services as CWE-Compatible and CWE-Effective. For the last few months, Red Hat was engaged in the CWE Compatibility and Effectiveness Program and worked towards fulfilling its requirements. These requirements included providing a common language for discussing, identifying, and dealing...Array allocation in C++
This technical article covers a subtlety in C++ array allocation and how we changed the GNU C++ compiler to deal with it properly. When a programmer writes T *p = new T[3];the C++ compiler allocates room for at least three copies of objects of type T on the heap. These objects require 3 * sizeof(T) bytes. For this example, assume sizeof(T) is 12, then it is straightforward to allocate 36 bytes (for example, using malloc). But what happens if the array length is 3937053355 (or...What defines a security issue?
When dealing with developers, this question comes up fairly often: Is this bug a security issue? It is not always obvious if a bug is a security flaw or not. The reality is that the line is quite gray when it comes to deciding if something is a security flaw or not. It depends on a lot of factors, many of which are complicated and confusing. Consider the following example: CVE-2012-1182 describes a problem in Samba where a remote attacker could run arbitrary code as root. This is a fancy way of...
Quick Links
Help
Site Info
Related Sites
Systems Status
About
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit