• Welcome to the New Customer Portal Blogs!

    With this latest site release for the Red Hat Customer Portal, we're adding a new blog feature that we're very excited about. These blogs give us the ability to provide a unique channel of information and interaction to you, our customers. You'll have the opportunity to stay up to date on our various products and services, and we encourage you to share your ideas and suggestions with our various Red Hat contributors. The initial set of Customer Portal blogs covers areas such as security,...
    Posted 2014-04-03T22:10:28+00:00 - 2
  • Java Embedded Vulnerability Detector

    Introducing a New Access Labs App: Java Embedded Vulnerability Detector Upload your JAR (or class) files and this app will tell you if any of your files match one of the many publicly distributed files that the Red Hat Security team has identified as containing a known security flaw, or CVE.. A CVE is an item in a list of known vulnerabilities in all software. It provides a common way for people from different organizations to identify a particular known vulnerability. Often when building your...
    Posted 2014-04-01T17:48:12+00:00 - 3
  • The Right Performance Tool for the Task

    As an engineer who works on performance tools at Red Hat, I often get seemingly simple questions along the lines of, "How do I get performance tool X to collect Y data?" Unfortunately, many times the answer is that "tool X does not measure Y." This leads to a dicussion about the performance problem being investigated. With additional background information, it becomes much easier to suggest more promising tools and techniques to get the desired measurements. Given the number of performance...
    Posted 2014-03-31T18:04:57+00:00 - 0
  • Determining Whether an Application Has Poor Cache Performance

    Modern computer systems include cache memory to hide the higher latency and lower bandwidth of RAM memory from the processor. The cache has access latencies ranging from a few processor cycles to 10 or 20 cycles, rather than the hundreds of cycles needed to access RAM. If the processor must frequently obtain data from the RAM rather than the cache, performance will suffer. With Red Hat Enterprise Linux 6 and later distributions, the system use of cache can be measured with the perf utility...
    Posted 2014-03-26T20:39:35+00:00 - 0
  • Examining Huge Pages or Transparent Huge Pages Performance

    All modern processors use page-based mechanisms to translate the user-space processes virtual addresses into physical addresses for RAM. The pages are commonly 4KB in size, and the processor can hold a limited number of virtual-to-physical address mappings in the Translation Lookaside Buffers (TLB). The number of TLB entries ranges from tens to hundreds of mappings. This limits a processor to a few megabytes of memory it can address without changing the TLB entries. When a virtual-to-physical...
    Posted 2014-03-26T20:35:16+00:00 - 0
  • Introducing Red Hat Access Labs!

    We are thrilled to announce Red Hat Access Labs! Red Hat Access Labs is a new way for Red Hat engineers to deliver tools to help improve performance, quickly troubleshoot issues, identify security problems, or assist with any other issue we see our customers experiencing in their IT environments. Go to the Access Labs landing page to check out the five applications we've launched so far. Here's the inaugural group: SCSI Decoder: Quickly detect, decode, and resolve SCSI error messages...
    Posted 2014-03-19T13:32:12+00:00 - 3
  • Security audits through reimplementation

    For many networking protocols and file formats exist which interoperate with each other. Developing an implementation for a protocol or format diverges from previous implementations in subtle ways, at least initially. Such differences can uncover previously unnoticed corner cases which are not handled properly, and sometimes reveal security vulnerabilities. For example, in the mid-90s, it was discovered that Samba's SMB client, smbclient, did not restrict user name length in the same way...
    Posted 2014-02-26T14:30:23+00:00 - 0
  • CWE Vulnerability Assessment Report 2013

    Common Weakness Enumeration (CWE) is a list or dictionary of common software weaknesses. Red Hat has adopted CWE as a common language for describing and classifying vulnerabilities, used as a base for evaluation and prevention of weaknesses. Results of classifications are reviewed periodically and are used to direct our efforts in strengthening security of development practices, tools, assessment services, education programs and documentation. As a part of this effort Red Hat Customer Portal...
    Posted 2014-01-15T14:30:10+00:00 - 0
  • Securing Openstack's Dashboard using Django-Secure

    When it comes to security it is an unfortunate reality that technologies are rarely straight forward to use or easy to deploy. So it is quite refreshing to find something that breaks that mould. There is a fantastic project called django-secure which I believe does just this. The idea is to provide a way to enforce secure defaults for django projects. It achieves this in two key ways. The first being a deployment check that you can run as a part of typical django-admin manage.py workflow, the...
    Posted 2014-01-08T14:30:48+00:00 - 0
  • November: What have we been doing for you?

    The Red Hat Product Security Team is constantly working behind the scenes to protect our customers.  Here are just a few things that we’ve been working on in November: victi.ms project - We're now using victi.ms data to help check our JAR files for embedded vulnerabilities.  This helps identify vulnerabilities and keeps them out of Red Hat products. Security Feature Matrix – We reported on the Security Feature Matrix last month and we continue to do research and make changes in our products...
    Posted 2013-12-04T14:30:00+00:00 - 0
  • Enterprise Linux 6.4 to 6.5 risk report

    Red Hat Enterprise Linux 6.5 was released last week (November 2013), nine months since the release of 6.4 in February 2013. In this report we take a look back over the vulnerabilities and security updates since that last update, specifically for Red Hat Enterprise Linux 6 Server. Red Hat Enterprise Linux 6 is in its fourth year since release, and will receive security updates until November 30th 2020. Errata count The chart below illustrates the total number of security updates issued for Red...
    Posted 2013-11-27T13:00:55+00:00 - 0
  • Java Deserialization Flaws: Part 1, Binary Deserialization

    Serialization is a feature of programming languages that allows the state of in-memory objects to be represented in a standard format, which can be written to disk or transmitted across a network. Java includes powerful serialization capabilities as a core feature of the language. All classes which implement the java.io.Serializable interface can be serialized and deserialized, with Java handling the plumbing automatically. Serialization is now widely used in Java applications as a mechanism...
    Posted 2013-11-20T14:30:20+00:00 - 0
  • October: What have we been doing for you?

    The Red Hat Product Security Team is constantly working behind the scenes to protect our customers.  Here are just a few things that we've been working on in October: Auditing packages - One of the big tasks our team members work on is reviewing software packages to make sure they meet our high standards. Prelink is dead - We worked closely with the Fedora community to have prelink removed from the distribution (by default).  Prelink disables address space layout randomization (ASLR) which...
    Posted 2013-11-06T14:30:37+00:00 - 0
  • Symmetric Encryption

    So far we have looked at what cryptography is and have taken a brief look at the history of cryptography; it's time for us to take a dive into how cryptography works. Cryptography often involves two important and complimentary processes called encryption and decryption. The process of encryption and decryption involves a secret key which is known only to the sender and the receiver of the message. Needless to say, the secrecy of the message depends on the secrecy of the key. This is analogous...
    Posted 2013-10-16T13:30:23+00:00 - 0
  • Enterprise Linux 5.9 to 5.10 risk report

    Red Hat Enterprise Linux 5.10 was released this month (October 2013), ten months since the release of 5.9 in January 2013. So let's use this opportunity to take a quick look back over the vulnerabilities and security updates made in that time, specifically for Red Hat Enterprise Linux 5 Server. Red Hat Enterprise Linux 5 is in its seventh year since release, and will receive security updates until March 31st 2017. Errata count The chart below illustrates the total number of security updates...
    Posted 2013-10-09T13:30:29+00:00 - 0
  • We are not who we are

    In authentication, we generally talk about three "factors" for determining identity. A "factor" is a broad category for establishing that you are who you claim to be. The three types of authentication factors are: Something you know (a password, a PIN, the answer to a "security question", etc.) Something you have (an ATM card, a smart card, a one-time-password token, etc.) Something you are (your fingerprint, retinal pattern, DNA) Historically, most people have used the first of these three...
    Posted 2013-10-02T13:30:01+00:00 - 0
  • Reproducible Builds for Fedora

    It should be possible to reproduce every build of every package in Fedora (strong, long-term goal).  It should be possible for the users to verify that the binary matches what the source intended to produce, in an independent fashion. This is the basic nature of open source, the source code is available, so what can we do with it? I want to be able to show that our binary was the result of our source code from our compiler and nobody added anything to the binary along the way. Can we show that...
    Posted 2013-09-18T13:30:32+00:00 - 0
  • Tweaking integer overflows

    Integer overflows when calculating the memory size for data structures (such as to hold image data from an image file) is a common source of security vulnerabilities. Often, such integer overflows are initially reported as denial-of-service issues, as the result of an arbitrarily large memory allocation. But with some tweaking, they can be turned into the successful allocation of a memory area that is too small because the integer overflow results in the wrong computed allocation size....
    Posted 2013-08-28T13:00:40+00:00 - 0
  • Apache Tomcat and JBoss Web security flaws

    Apache Tomcat and JBoss Web are two closely-related components that have a large amount of code in common. This article explains the difference between these components and examines how security flaws affect them. Apache Tomcat and JBoss Web Apache Tomcat is a popular open source implementation of the Java Servlet and JavaServer Pages specifications. It is commonly used as a container to host Java-based web applications. Tomcat is distributed as part of both Red Hat Enterprise Linux and Red Hat...
    Posted 2013-08-07T13:30:42+00:00 - 0
  • Reporting security flaws for OpenJDK 6

    Oracle has announced that it no longer provides public updates to their proprietary Oracle Java SE 6, as of February 2013. These updates, which may include security patches, are now only available to users of Oracle Java SE 6 who have a commercial support agreement with Oracle. Users who have a need for support on Java SE 6 and are not willing to consider commercial support from Oracle have another choice. Red Hat recently assumed a leadership role for the OpenJDK 6 project. OpenJDK is an open...
    Posted 2013-07-03T13:00:35+00:00 - 0
  • CWE Coverage for Red Hat Customer Portal

    This is part three of a three-part series on CWE usage within Red Hat. Part one discussed vulnerability assessment for secure software development while part two discussed the CWE compatibility for the Red Hat Customer Portal. This part will discuss the CWE coverage for the Red Hat Customer Portal. CWE has different views for different audiences and purposes. In the early stages of development, CWE only had one hierarchical representation, which originated the current Development Concepts View...
    Posted 2013-06-19T13:00:51+00:00 - 0
  • CWE Compatibility for Red Hat Customer Portal

    This is part two of a three-part series on CWE usage within Red Hat. Part one, Outside-in Vulnerability Assessment for Secure Software Development discussed the role of CWE in our own outside-in methodology. This part will discuss the Red Hat engagement for CWE compatibility and how CWE identifiers are assigned to Red Hat vulnerabilities. We have engaged in the CWE Compatibility and Effectiveness Program and worked towards fulfilling its requirements for using CWE in our own outside-in...
    Posted 2013-06-05T13:00:11+00:00 - 0
  • Outside-in Vulnerability Assessment for Secure Software Development

    Outside-in vulnerability assessment for secure software development is a process for identifying and eliminating some of the most dangerous and potentially exploitable weaknesses in your existing products and projects. Some well-known secure software development methodologies have their security practices grouped into phases, from training to response. However, you may have your main product already within the response phase, whereas its development was not done practicing secure software...
    Posted 2013-05-22T13:00:46+00:00 - 0
  • Battling open resolvers

    A recent blog by ISC discussed Is Your Open DNS Resolver Part of a Criminal Conspiracy? The problem is that open recursive DNS servers can be used by attackers to attack victims as part of distributed denial of service (DDOS) attacks. This type of attack is generally known as a DNS amplification attack. Due to the nature of the DNS protocol, a very small request can be sent as a UDP packet, and since UDP is not a stateful protocol, the sender information can be faked. The open DNS resolver will...
    Posted 2013-05-08T13:00:22+00:00 - 0
  • Anatomy of a Red Hat Security Advisory

    Red Hat Security Advisories (RHSA) document the security flaws being fixed in Red Hat products. They include: The affected products the advisory applies to. The security rating of the update (low, moderate, important, critical). A brief description of the flaws being fixed. How an attacker could exploit the issues, such as whether they need privileges or not. Any manual action that may be required, such as restarting applications that use an affected library, or configuration file changes. In...
    Posted 2013-04-24T13:00:14+00:00 - 0

Pages