Apex talks to Steve Giovannetti, the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. Here, Steve discusses how he has been and continues to navigate the post pandemic landscape within ML/AI, Cloud, and more at Hub City Media!

Q: What are the roles and responsibilities of the CTO within your services organization?

A: In an organization like Hub City Media, I wear a few different hats. Ultimately, I’m asked to make decisions and research new Identity and Access management technologies and products nearly every day. More specific parts of my job include:

• Looking at new products or services we might develop in house.

• Researching and developing new technologies we can apply to our service delivery like devops, cloud or AI.

• Coming up with creative solutions to client problems. One of the most common has been helping them deal with the challenges presented by COVID-19.

Q: What sorts of challenges did COVID-19 cause for your clients?

A: The most prevalent challenge was navigating from working in an office to having their entire staff working remotely. Most organizations had access infrastructure like VPNs in their office networks, but these infrastructures weren’t stressed like they were when their entire staff I started working from home. We helped our clients navigate through shoring up capacity, as well as implementing more secure remote access authentication technologies (like multi-factor authentication). This allowed them to connect securely to their on premise or even cloud Applications.

Q: Have you found new vendors for your organizations that are now needed in this time of COVID-19 and remote working?

A: Maybe not new vendors, but there certainly were existing strong authentication vendors that saw a jump in activity once companies wanted to grant more access to applications from remote locations. We saw colossal interest and activity with Access Management, multi-factor authentication and passwordless authentication.

Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?

A: Very early at the start of the pandemic, we saw some projects get put on hold; however, that

changed once companies resolved the remote access issue. Then, oddly enough, it was business as usual, and companies even started new initiatives on how to improve remote work. For example, we had one client ask us to help them completely automate their hiring process via their Identity Management system, which was only partially automated at the start of the pandemic.

Q: Where are you in the journey of utilizing hybrid cloud and DevOps? What challenges are you facing?

A: Hub City Media was a very early adopter of public cloud, and immediately grasped the importance of DevOps as a practice and as a set of technologies. We spearheaded early efforts to deploy Identity and Access Management systems using Docker and Kubernetes. That practice is quite mature now, and we are constantly improving our techniques. We’ve been doing a lot more with Infrastructure as Code and automating the provisioning of cloud services where we then deploy products. This has allowed us to decrease time to value for our clients, so we spend less time on infrastructure and more time delivering the functionality they are looking to leverage.

Q: Are you seeing more organizations deploying “Enterprise AI” to address Identity and Access Management or just security in general?

A: Yes. AI is becoming more prevalent in Identity and Access Management systems, especially in Identity Governance, where a lot of the burden is placed on members of an organization, specifically managers, to certify the access of their teams. This is a tremendously tedious task that can mostly be delegated to AI. We are also seeing the application of machine learning to deal with identity role engineering in large enterprises. This is another task where humans get overwhelmed in the data analysis to properly define birthright roles – a perfect task for Machine Learning.

Q: What is the current state of Big Data and AI investment? Do you sense the pace of Big Data and AI investment changing?

A: I see it accelerating in the Identity and Access Management sector. The new products on the market make it fairly easy to prove out value in a quick proof of concept. I would expect using AI for Identity Governance to become quite commonplace, and for it to extend to using AI/ML to make Access Management decisions in the future. That will be driven by analyzing access behaviors of users over time – again, an impossible task for a human to perform or even to codify rule sets in advance, but a perfect application of AI/ML.

Steve Giovannetti – CTO & Founder of Hub City Media

Steve Giovannetti is the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. He specializes in the analysis, design and implementation of distributed, multi-tier, applications, and heavily focuses on containerized solutions and running Identity in the cloud. Since 1999, Giovannetti and Hub City Media have been deploying production identity management, directory, and web access management systems for commercial, government and education customers.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle WebLogic Server 10.3.6

Product: Oracle WebLogic Server 10.3.6.0.0

Subcomponent(s): TopLink Integration, Core, Console, Web Services

Patch Number: 32403651

 Vulnerability Details: Both easily exploitable and difficult to exploit vulnerabilities allowing unauthenticated or high privileged attackers with network access via HTTP, HTTPS, T3, or IIOP to compromise Oracle WebLogic Server.  Some successful attacks require human interaction from a person other than the attacker.  While the vulnerability is in Oracle WebLogic Server these attacks could significantly impact other products.  

Successful attacks can result in:

• unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data 

• unauthorized read access to a subset of Oracle WebLogic Server accessible data

• unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server

Java SE 7

Product: Java SE 7

Subcomponent(s): Libraries 

 Patch Number: 32464070

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition.  Some of the attacks require additional human interaction but not all.  

 Successful attacks can result in:

• unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data.

Oracle Solaris

Product: Oracle Solaris

 Subcomponent(s): Kernel

 Patch Number: 11.4.30.88.3

 Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

 Successful attacks can result in:

• Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris as well as unauthorized update, insert or delete access to some of Oracle Solaris accessible data.

Oracle Coherence

Product: Oracle Coherence

 Subcomponent(s): Core

 Patch Number: 32581736

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Coherence. 

 Successful attacks can result in:

• Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

Secret Double Octopus (SDO), the leader in enterprise passwordless authentication, and winner of ForgeRock's Global Partner Award for Workforce Technology, is partnering with Hub City Media (HCM), an Identity and Access Management (IAM) consultancy and ForgeRock's 2020 Americas Partner of the Year.

HCM offers advisory and implementation services alongside managed cloud and support services across the globe for a wide range of industries. With over 20 years of IAM experience, HCM's extensive expertise in the industry continues to make them a leading partner for security platforms from leaders such as ForgeRock, Oracle and CyberArk.

SDO is revolutionizing workforce authentication with its Octopus Passwordless Enterprise™ technology, designed and built from the ground up for the unique requirements of complex enterprise infrastructure. The Octopus platform is to date the only enterprise-grade solution able to solve any authentication use-case, from the workstation to any app and service, in a simple and secure manner. Its seamless integration with ForgeRock's identity platform offers a novel plug-and-play desktop MFA for the entire workforce, and a clear path to becoming a passwordless enterprise.

As an expert in IAM deployments, HCM will work to seamlessly integrate ForgeRock and SDO with client environments to secure enterprise assets - applications, desktop, mobile and more. Passwordless Authentication enhances workforce security while providing a frictionless user experience.

"We see a large amount of workforce IAM deployments, and this has become a focus for us over the years," said Phillippe Monrougie, CEO of Hub City Media. "Secret Double Octopus has a similar focus, and has created a desktop authentication product that is the perfect fit for ForgeRock clients, and optimizes their platform. With HCM and SDO as key partners for ForgeRock, it was a great opportunity to go to market together."

"We are thrilled to partner with Hub City Media and help more ForgeRock users simplify security for their employees," said Raz Rafaeli, CEO and co-founder, Secret Double Octopus. "By providing a seamlessly integrated desktop MFA, and universal passwordless authentication across the enterprise, HCM and Secret Double Octopus enable companies to make the most out of their ForgeRock deployments. This new partnership will help IT and security managers in making their employees much happier and their domain dramatically more secure."

Learn More:
www.doubleoctopus.com 
www.hubcitymedia.com 

See original Press Release from PR Newswire

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE 7

Product: Java SE 7

 Subcomponent(s): Libraries

 Patch Number: 13079846

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded.

 Successful attacks can result in:

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Java SE 8

Product: Java SE 8

 Subcomponent(s): Libraries

 Patch Number: 18143322

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded.

 Successful attacks can result in:

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Oracle BI Publisher 11.1.1.9.0, 12.2.1.3.0

Product: Oracle BI Publisher 11.1.1.9.0, Oracle BI Publisher 12.2.1.3.0

Subcomponent(s): Administration, BI Publisher Security, E-Business Suite - XDO, Web Server

Patch Number: 32310890 (11.1.1.9.0), 32294042 (12.2.1.3)

Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data

• Unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle BI Publisher

Oracle WebLogic Server 10.3.6

Product: Oracle WebLogic Server 10.3.6.0.0

Subcomponent(s): Web Services, Core Components, Samples, Console, Console (Apache Common Beanutils), Sample Apps (Spring Framework)

Patch Number: 32052267, 32134024

Vulnerability Details: Easily exploitable vulnerability allows unauthenticated, low privilege, or high privilege attackers with network access via HTTP, or IIOP/T3 to compromise Oracle WebLogic Server. 

Difficult to exploit vulnerability allows a low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server.

• Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data.

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.

Oracle WebLogic Server 12.2.1.3

Product: Oracle WebLogic Server 12.2.1.3

Subcomponent(s): Core Components (Connect2id Nimbus JOSE+JWT), Core Components, Samples, Console (Apache Commons Beanutils), Console, Sample Apps (Spring Framework), Sample Apps (jQuery), Centralized Thirdparty Jars (Google Guava)

Patch Number: 32300397, 32148634

Vulnerability Details: Easily exploitable vulnerability allows unauthenticated, low privileged, and high privileged attackers with network access via HTTP, or IIOP/T3 to compromise Oracle WebLogic Server. 

Difficult to exploit vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of Oracle WebLogic Server.

• Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data.

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data.

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

December 1, 2020

Hub City Media, an identity and access management consultancy, and ForgeRock®, the leading provider in digital identity, are honoring Phoenix Metro Area healthcare workers on this Giving Tuesday by hand-delivering sweet treats to several area hospitals, including HonorHealth, Dignity Health, Redirect Health and Banner Health. The companies have joined together to give back to local healthcare heroes to show how much they are appreciated today and every day.  

 “Our mission at ForgeRock is to help people safely and simply access the connected world,” said Mark Rosato, healthcare client director, ForgeRock. “We’ve seen our healthcare customers work tirelessly to treat the most acute cases in person and find new ways of connecting to patients remotely. We’ve been inspired by the organizations we’ve partnered with to keep communities healthy and we felt it was our turn to do something special for them on Giving Tuesday.”

 “The medical community has sacrificed so much this year. We’re happy to provide a little sweetness to these healthcare heroes who continue to make a difference every day,” added Kimberly Stanfel, account director, Hub City Media.

 Giving Tuesday was established as a day for people around the world to give back to their local communities. Hub City Media and ForgeRock are thrilled to be able to kick off the holiday season by showing gratitude for the ongoing efforts of the Phoenix area hospitals who are the recipients of this grassroots initiative. There are so many more people we want to shower with our appreciation, so to every healthcare worker across the globe – thank you and you rock!

 You can follow our journey to each hospital by following ForgeRock, Hub City Media and #ForgeRockGives on Twitter, LinkedIn, Instagram and Facebook.

About Hub City Media

An identity and access management consultancy, and ForgeRock’s Americas Partner of the Year for 2020, Hub City Media offers advisory and implementation services, managed cloud and support services and simple, powerful, easy to integrate products. Our comprehensive U.S. based organization is equipped to partner with clients in every global location and time zone.

Thank you to Andrea at CookiesByDesign on McDonald Street for making these delicious treats!

Official Press Release

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE 7

Subcomponent(s): Hotspot, JNDI, Libraries, Serialization

 Patch Number: 13079846

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.

 Successful attacks can result in:

• unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

• unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded

Java SE 8

Subcomponent(s): Hotspot, JNDI, Libraries, Serialization

 Patch Number: 18143322

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.

 Successful attacks can result in:

• unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

• unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded

WebLogic Server 12.2.1.3

Subcomponent(s): Centralized Thirdparty Jars, Console, Core, Web Services, jQuery

 Patch Number: Patchset 31961038

 Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3  to compromise Oracle WebLogic Server.  Some successful attacks would require human interaction from someone other than the attacker to be successful.  While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability.

 Successful attacks can result in:

• takeover of Oracle WebLogic Server

• unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• unauthorized creation, insert, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as 

• unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

WebLogic Server 10.3.6

Subcomponent(s): Console, Core, jQuery, Apache Log4j

 Patch Number: Patchset: 31641257

 Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3  to compromise Oracle WebLogic Server.  Some successful attacks would require human interaction from someone other than the attacker to be successful.  While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability.  There is another difficult to exploit vulnerability that allows for an unauthenticated attacker with network access via SMTPS to compromise Oracle WebLogic Server.

 Successful attacks can result in:

• takeover of Oracle WebLogic Server

• unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

• unauthorized read access to a subset of Oracle WebLogic Server accessible data

Oracle Access Manager 11.1.2.3.0

Subcomponent(s): Web Server Plugin (RSA BSafe)

 Patch Number: 31710235 

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Access Manager

 Successful attacks can result in:

• Takeover of Oracle Access Manager

Oracle BI Publisher 12.2.1.3.0

Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service, BI Publisher Security (jQuery)

 Patch Number: 31690029

 Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.

 Successful attacks can result in:

• Complete access to all BI Publisher accessible data

• Unauthorized update, insert, and/or delete access to some BI Publisher accessible data

• Unauthorized read access to a subset of BI Publisher accessible data

Oracle BI Publisher 11.1.1.9.0

Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service

 Patch Number: 31943269

 Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.

 Successful attacks can result in:

• Complete access to all BI Publisher accessible data

• Unauthorized update, insert, and/or delete access to some BI Publisher accessible data

• Unauthorized read access to a subset of BI Publisher accessible data

Oracle Solaris 11.4

Subcomponent(s): Pluggable authentication module, Kernel, Filesystem, Utility

 Patch Number: 11.4.26.75.4

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.  Easily exploitable vulnerability allows low privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Difficult to exploit vulnerability allows low privileged attackers with network access via SSH to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.

 Successful attacks can result in:

• the takeover of Oracle Solaris

• unauthorized access to critical data or complete access to all Oracle Solaris accessible data 

• unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris

• unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• unauthorized update, insert or delete access to some of Oracle Solaris accessible data

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle BI Publisher 11.1.1.9.0

Subcomponent(s): Mobile Service, Layout Templates

 Patch Number: 31525202

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.

Oracle BI Publisher 12.2.1.3.0

 Subcomponent(s): Mobile Service, Layout Templates, BI Publisher Security

Patch Number: 31525202, 31178889

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.

Oracle Solaris

Subcomponent(s): Kernel, Operating System Image, Packaging Scripts,libsuri, Device Driver Utility,

 Patch Number: 11.4.23.69.3

 Vulnerability Details:

• Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

• Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Solaris.

• Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle ZFS Storage Appliance Kit.

• Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

Successful attacks can result in:

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• Unauthorized read access to a subset of Oracle Solaris accessible data

• Takeover of Oracle ZFS Storage Appliance Kit

• Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data

• Takeover of Oracle Solaris

Oracle Unified Directory 11.1.2.3.0

Subcomponent(s): Security

 Patch Number: 31541461

 Vulnerability Details: Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle Unified Directory. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Unified Directory, attacks may significantly impact additional products.

 Successful attacks can result in:

• Unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Unified Directory

WebLogic Server 10.3.6

Subcomponent(s): Security Service, Core, Console, Log4j, Web Container, Web Services

 Patch Number: Patchset: 31178492,  ADR Patch: 31241365

 Vulnerability Details: Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP,  or T3 to compromise Oracle WebLogic Server.  Some attacks require human interaction and this variety of attack may significantly impact other products despite the vulnerability being in WebLogic Server.  Attackers exploiting these vulnerabilities have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of WebLogic Server

• Unauthorized creation, deletion or modification access to all Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

WebLogic Server 12.2.1.3

Subcomponent(s): Centralized Thirdparty Jars (jackson-databind), Security Service, Core, Centralized Thirdparty Jars (Log4j), Console (Log4j), Web Container, Sample apps, Web Services

 Patch Number: Patchset: 31535411, ADR Patch: 31544340

 Vulnerability Details: Easily exploitable vulnerabilities that  allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP, T3 to compromise Oracle WebLogic Server. Attackers exploiting these vulnerabilities can cause the system to have confidentiality, integrity and availability impacts.  Attacks exist that require human interaction however for these attacks despite the vulnerability being in WebLogic Server the attack could significantly impact other available products.  Difficult to exploit vulnerabilities that require human interaction which allows an unauthenticated attacker via HTTP to compromise WebLogic Server.  Vulnerabilities of this type also have confidentiality, integrity, and availability impacts. 

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server

• Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data

• Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

Java SE 7 

Subcomponent(s): Libraries, 2D, JAXP, JSSE

 Patch Number: 13079846

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Attacks of these varieties have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of Java SE, Java SE Embedded

• Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data

• Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS)

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

Java SE 8

 Subcomponent(s): Libraries, 2D, JAXP, JSSE

 Patch Number: 18143322

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Attacks of these varieties have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of Java SE, Java SE Embedded

• Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data

• Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS)

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

Onfido, the global identity verification and authentication provider, today announced a partnership with Hub City Media, an Identity and Access Management (IAM) consultancy and ForgeRock’s 2020 America’s Partner of the Year. An expert in technology integrations for IAM customers, Hub City Media will resell and distribute Onfido’s identity verification and authentication services integrated with a number of their existing identity solutions including ForgeRock’s modern identity platform.

Hub City Media offers advisory and implementation services alongside managed cloud and support services across the globe for a wide range of industries. With over 20 years of IAM experience, Hub City Media’s extensive and growing expertise in the industry continues to make them a leading partner for many access management platforms from leaders such as ForgeRock, Oracle and CyberArk.

Onfido’s award-winning Identity Verification service enables document first onboarding, binding a physical human with their digital credentials with just a picture of a government ID and a selfie with 98.7% of fraud detected. To achieve this, Onfido uses the best combination of human analysts and machine learning to check for data consistency across the ID, performing image analysis, and detecting anomalies in fonts. 

By integrating Onfido’s technology, CIAM customers can reduce abandonment rates caused by complex registration forms and create trust with their customers as soon as they are onboarded, providing a more personalized and consistent experience across all their business units.  For high-risk transactions or ongoing authentication (for example, money transfers or password resets), a self-service step-up verification / authentication is available that requests a customer selfie which is then matched against the document used to register.

“As a trusted provider of IAM solutions for a number of the largest companies in the world, we only partner with companies offering the most robust and scalable solutions and Onfido fits that bill,” said Phillippe Monrougie, CEO of Hub City Media. “Its identity verification solution is second to none providing the best user experiences, fraud detection and simplest integrations we’ve seen, making Onfido an easy proposition for our clients.”

“Having the right technology partners that know our identity solution and the value it brings to IAM architectures is critical for our continued expansion into the enterprise market,” said Husayn Kassai, CEO and Cofounder at Onfido. “Hub City Media is one of those partners that immediately understood the value of our solution and with our existing ForgeRock integration, made them a natural fit.”

Onfido covers over 4,500 ID document types across 195 countries, detecting anomalies automatically, while using human experts to verify outliers.

About Onfido

Onfido is the new standard for digital access. The company uses AI to verify any photo ID and then compares it with the person’s facial biometrics. This use of AI means that businesses no longer need to compromise on customer experience, conversion, privacy or security.

 Recognized as a global leader in artificial intelligence for identity verification and authentication, Onfido is backed by TPG Growth, Crane Venture Partners, Salesforce Ventures, M12 - Microsoft’s venture fund, and others. With approximately 400 employees spread across seven countries, Onfido has raised $200m in funding and powers digital access for some of the world’s largest companies.

www.onfido.com

www.linkedin.com/company/onfido/

www.twitter.com/onfido

About Hub City Media

Founded in 1999 and headquartered in South Plainfield, New Jersey, Hub City Media is a software integrator specializing in sophisticated Identity and Access Management cloud and on-premise solutions, Managed Support Services and custom software development and integrations. Hub City Media provides fully customizable Professional Services and 24 / 7 / 365 Managed Support Services tailored to the specific needs of each organization, with the ability to partner with clients in every global location and time zone.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle Solaris 11

Subcomponent(s): SMB Server Kernel Module, Operating System Image, jQuery, Oracle WebLogic Server, SMF command svcbundle, Whodo, Common Desktop Environment

 Patch Number: 31009799

 Vulnerability Details: Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Sun ZFS Storage Appliance Kit executes to compromise Sun ZFS Storage Appliance Kit. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise StorageTek Tape Analytics SW Tool. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in StorageTek Tape Analytics SW Tool, attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of Oracle Solaris, Sun ZFS Storage Appliance Kit, StorageTek Tape Analytics SW Tool

• Unauthorized update, insert or delete access to some of StorageTek Tape Analytics SW Tool accessible data as well as unauthorized read access to a subset of StorageTek Tape Analytics SW Tool accessible data

• Unauthorized read, update, insert or delete access to some of Oracle Solaris accessible data

WebLogic Server

Subcomponent(s): Console, Core, WLS Web Services, Management Services,

 Patch Number: 30857748

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server.  Easily exploitable vulnerability allows high privileged attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server.  Unauthenticated attackers with network access via HTTP can compromise Oracle WebLogic Server with human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities can result in system confidentiality, integrity and availability impacts and have the following detrimental effects.

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server.

• Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

Java SE

Subcomponent(s): Libraries, JSSE, Concurrency, Lightweight HTTP Server, Security, Serialization

 Patch Number: 13079846

 Vulnerability Details: Vulnerabilities of varying difficulties allowing unauthorized and highly privileged attackers via multiple network protocols, T3, and HTTPS, to compromise Java SE and Java SE Embedded.  Vulnerability is in Java SE and Java SE embedded however attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have a variety of detrimental effects.

 Successful attacks can result in:

●       Takeover of Java SE, Java SE Embedded.

●       Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.

●       Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

●       Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Oracle HTTP Server

Subcomponent(s): Web Listener

 Patch Number: 31047338

 Vulnerability Details: Easily exploitable vulnerabilities allows unauthenticated attackers with network access via HTTP to compromise Oracle HTTP Server. Attacks can require human interaction from a person other than the attacker, or occur with a solo unauthenticated attacker. Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have the following detrimental effects.

 Successful attacks can result in:

●       Takeover of Oracle HTTP Server

●       Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data

●       unauthorized read access to a subset of Oracle HTTP Server accessible data.

Oracle Access Manager

Subcomponent(s): Federation, Authentication Engine, SSO Engine

Patch Number: 30609442

Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Access Manager. Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks of both types require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities confidentiality, integrity, and availability impacts and the following detrimental effects. 

 Successful attacks can result in:

●       Unauthorized update, insert or delete access to some of Oracle Access Manager accessible data

●       Unauthorized read access to a subset of Oracle Access Manager accessible data

●       Unauthorized ability to create partial Denial of Service

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

Hub City Media Recognized as ForgeRock's Americas Partner of the Year!

Hub City Media, thought-leaders in the Identity and Access Management (IAM) space, was honored with the ForgeRock Americas Partner of the Year award for 2020. 

Hub City Media offers advisory and implementation services alongside managed cloud and support services across the globe for a wide range of industries. With over 20 years of IAM experience, Hub City Media’s extensive and ever growing expertise in the industry continues to make them a leading partner for ForgeRock’s modern Identity platform.

"We are very excited to recognize Hub City Media as our Partner of the Year,” said Mark Francetic, Vice President - Alliances and Channels Sales at ForgeRock. “They are a go-to Partner for our customers and our sales teams nationally, and very much deserve this award.”

With a staff fully committed to ForgeRock Identity and Access Management (IAM) technology, Hub City Media provides valuable insight and recommendations resulting in their client’s success and increased return on investment.

 “Partnering with ForgeRock in 2015 was an easy decision, and since then, the partnership has exceeded every expectation,” said Philippe Monrougie, CEO of Hub City Media. “Every single person at our organization has played an integral role in making this award possible - our people are our most valuable differentiator.”

 For more information about Hub City Media, please visit www.hubcitymedia.com or contact marketing@hubcitymedia.com

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle Identity Manager (OIM)

Product: Oracle Identity Management

 Subcomponent(s): Advanced Console

 Patch Number: 30338509 

 Vulnerability Details:  Supported versions affected are 11.1.2.3.0 and 12.2.1.3.0. An easily exploitable vulnerability allows a low privileged attacker with network access via HTTP to compromise Identity Manager.

 Successful attacks can result in:

• Unauthorized update, insert or delete access to some of Identity Manager’s accessible data

• Unauthorized read access to a subset of Identity Manager accessible data

WebLogic Server

Product: Oracle Weblogic Server

 Subcomponent(s): WLS Core Components, Application Container - Java EE, Console

 Patch Number: 30463097 - Estimated Availability January 31, 2020

 Vulnerability Details: Easily exploitable vulnerabilities that allow an unauthenticated attacker with network access via IIOP or T3 to compromise Oracle WebLogic Server. Easily exploitable vulnerabilities that allow a high privileged attacker with network access via HTTP or a logon to the infrastructure where Weblogic Server executes to compromise Oracle WebLogic Server.  Some vulnerabilities require human interaction, and while these the vulnerability is in Oracle Weblogic Server attacks might significantly impact additional products.

 Successful attacks can result in:

• Takeover of Weblogic Server

• Unauthorized access to critical data or complete access to all accessible data

• Unauthorized update, insert, or delete access to Weblogic accessible data

• Unauthorized read access to subset of Weblogic accessible data

• Unauthorized ability to cause partial denial of service

Java SE

Product: Java SE

 Subcomponent(s): Serialization, Security, Networking, Libraries

 Patch Number: 13079846

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.

Successful attacks can result in:

• Attacker takeover of Java SE

• Unauthorized complete manipulation of Java accessible data, including access, write, delete, and modify

• Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE

• Unauthenticated attacker with network access via Kerberos to compromise Java SE

Oracle HTTP Server

Product: Oracle Fusion Middleware

 Subcomponent(s): OSSL Module, Web Listener

 Patch Number: 30654519

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP Server and allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

 Successful attacks can result in:

•  Partial DOS of the HTTP Server

• Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data as well as unauthorized read access to a subset of Oracle HTTP Server accessible data

Oracle Solaris

Product: Oracle Solaris 11

 Subcomponent(s): Consolidation Infrastructure,Filesystem,Kernel,X Window System,SMB Server

 Patch Number: 30681152, 30681156

 Vulnerability Details: Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMB to compromise Oracle Solaris

 Successful attacks can result in:

• Takeover of Oracle Solaris

• Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris.

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris

BI Publisher

Product: Oracle Business Intelligence Enterprise Edition

 Subcomponent(s): Analytics Server and Analytics Web General (OpenSSL)

 Patch Number: 30677050

 Vulnerability Details: 

Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Business Intelligence Enterprise Edition.

Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

We’re thrilled to announce that we’ve opened an office in Rossville, IL!

Stay tuned for more updates and the latest on on Rossville office!

Patient and Member Journeys Matter!

Building Superior Experiences in Connected Health, IoT and Data Sharing

Today, it is essential for healthcare organizations to provide users:

• Access to consolidated medical records

• Control over health data-sharing

• The ability to leverage valuable IoT device data

• The ability to manage care coverage transitions

Your patients and members expect active and personalized involvement in their own health outcomes using a variety of digital channels. To offer them the best possible health data protection, you need to support state-of-the-art Identity and Access Management (IAM) technologies and techniques.

In this webinar, you will learn about:

• Health IoT and data-sharing best practices

• Connected-health user journeys

• Standards for patient-centric health data-sharing

• How to modernize IAM to avoid healthcare security missteps

Watch the replay!

ABOUT THE SPEAKERS:

Eve Maler is a renowned strategist, innovator and communicator on digital identity, access, security and privacy, with particular focus on creating successful wide-scale ecosystems and fostering individual empowerment. Eve drives Identity Relationship Management innovation for the ForgeRock Identity Platform; she also directs ForgeRock’s involvement in related industry standards, particularly for access control and privacy, to which end she leads the User-Managed Access (UMA) standards effort.

Steve Giovannetti is the CTO and Founder of Hub City Media, an Identity and Access Management consultancy specializing in IAM implementations, product development and support services. Giovannetti has been working in Identity since 1999 with a heavy focus on containerized solutions and running IAM in the cloud. For more information, visitwww.hubcitymedia.com.

Hub City Media has teamed with CyberArk, the global leader in the Privileged Access Security, to deliver innovative cybersecurity solutions to reduce risk across an expanding attack surface.

 As the Privileged Access Security pioneer, CyberArk enables Hub City Media to deliver a complete Identity and Access Management (IAM) portfolio to improve compliance and reduce risk. With CyberArk, Hub City Media is now a one-stop shop for comprehensive IAM solutions.

 We are proud to join the CyberArk Partner Network!

Database Authentication was the focus of July’s Office hours at Oracle. Hub City Media's Jud Williford discussed different types of authentication, contrasted benefits and implementation requirements, and talked through a demo of our Multi-factor Authentication product for Oracle.

Check out the replay!

Jud Williford leads the Database Security practice at Hub City Media. He previously worked for 30 years at Fedex as a DBA and IT Architect, ultimately responsible for database security processes and annual attestations before external auditors.

As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

AM Web Agents

Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0

Subcomponent(s): Web Agent

Issue Number(s): 201902-01, 201902-03, 201902-04

Vulnerability Details:

These vulnerabilities allow:  

• AM Web Agents to be started with misconfigured notifications, which will give revoked sessions the ability to access protected resources

• AM Web Agent heap memory to be extracted by a local attacker, exposing sensitive information

• Mishandled String operations to potentially crash the AM Web Agent

These vulnerabilities are resolved in AM Web Agent version 5.6.1.0

AM Java Agents

Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0

Subcomponent(s): Java Agent, jackson-databind 2.x

Issue Number(s): 201902-02

Vulnerability Details:

These vulnerabilities allow:  

• A remote user to access local files through an issue with Polymorphic Typing in FasterXML jackson-databind 2.x before 2.9.9

These vulnerabilities are resolved in AM Java Agent version 5.6.1.0

AM/OpenAM

Product: AM versions 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1

OpenAM versions 

Subcomponent(s): AM/OpenAM Core Server

Issue Number(s): 201901-01, 201901-02, 201901-03, 201901-04, 201901-05, 201901-06, 201901-07, 201901-08

Vulnerability Details:

These vulnerabilities allow:  

• A man-in-the-middle attack to be performed on AM/OpenAM Core Server through certain configurations of OAuth2 clients

• Policies to be created for unentitled resources through a bug in access control

• Takeover of AM/OpenAM Core Server through a cross-site scripting attack 

• Server certificates to be incorrectly configured due to TLS hostname verification being disabled by default on some services

• Authentication to be bypassed in certain SAML session upgrade scenarios

• An attacker to redirect an end user to a site they control through Agent based CDSSO not correctly validating redirect URLs

• Memory account lockout to fail to work

• Redirect URLs to be unvalidated through improper error handling by OAuth2

These vulnerabilities are resolved in versions 6.5.0.2 or 6.0.0.7 depending on your current version of AM/OpenAM.

ForgeRock and Hub City Media co-host a two-part webinar series on IAM Modernization

Part 1: Migrating to a Modern IAM Platform - Long-term Value and Risks

Legacy IAM vs. Modern IAM - Should you stay or should you go? 

• Capabilities comparison

• Keeping pace with current market demands

• Preview of what a modern IAM deployment looks like 

• Short-term and long-term benefits of modernizing IAM 

• Potential roadblocks to consider and how to overcome them 

Watch Part 1

Part 2: Moving off of a Legacy System - How to migrate successfully

Learn how to make migrating IAM systems seamless, and the best strategies to consider for deployment. 

• Parallel Deployments vs. Coexistence vs. Rip-and-Replace: Which method makes sense for your organization? What are the pros and cons of each? 

• How to migrate efficiently, successfully and securely 

• Why migrating a wide variety of applications can be a roadblock, and how to overcome it

• Use Case Spotlight - Successful client journeys

Watch Part 2

Learn the true value of modernizing your IAM platform, and ensure your system is future proof with this series!

Hub City Media will be hosting a demo booth during Identity Live in Nashville, and is inviting all attendees to stop by to check out live demos of Governance 2.5. New features include an Enhanced User Interface, and Entitlement Glossary and OIDC integration.

As a proud ForgeRock partner, we're excited to have the opportunity to showcase the Governance product we've built directly on top of the ForgeRock Identity Platform. It's important we show Summit-goers how Governance can help their business with compliance needs, as well as the appropriate access and roles of their employees and customers. Most importantly, it can be deployed in the cloud with ForgeRock, and it’s very easy to install and run. 

We hope to see you there!

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE

Product: Oracle Java SE

Component(s): RMI, Libraries, 2D

Patch Number: 13079846

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.

Successful attacks can result in:

• Attacker takeover of Java SE

• Ability to cause hangs or complete crashes of Java SE

• Unauthorized complete manipulation of Java accessible data, including access, write, delete and modify.

Solaris

Product: Oracle Solaris

Component(s): IPS Package Manager, SunSSH, File Locking Services

Patch Number: 11.3.36.10.0

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols (including logon access) to compromise Oracle Solaris.

Successful attacks can result in:

• Unauthorized read access to Solaris file systems

• Partial Denial of Service (DoS)

• Unauthorized complete manipulation of Solaris accessible data, including access, write, delete and modify

SOA

Product: Oracle SOA Suite

Component(s): Fabric Layer

Patch Number: 29625018

Vulnerability Details:

This patch update corrects vulnerabilities that allow unauthorized read access to a subset of Oracle SOA as well as grant an unauthenticated attacker with network access, via HTTP, the ability to compromise Oracle SOA.

Successful attacks can result in:

• Unauthorized Read access to Oracle SOA data

• Unauthenticated Attacker can compromise Oracle SOA

Weblogic

Product: Oracle Weblogic Server

Component(s): WLS Core Components, EJB Container, WLS Core Components

Patch Number: 27820719

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through HTTP and T3 to compromise Oracle Weblogic Server.

Successful attacks can result in:

• A takeover of Oracle WebLogic Server

BI Publisher (formerly XML Publisher)

Product: BI Publisher, version 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0

Subcomponent(s): BI Publisher Security

Patch Number: 29492717 

Vulnerability Details:

Easily exploitable vulnerability allows unauthenticated, high or low attacker with network access via HTTP to compromise BI Publisher. This vulnerability may impact additional products.

Successful Attacks can result in:

• Unauthorized access to critical data or complete access to all BI Publisher accessible data

• Unauthorized access to critical data or complete access to all BI Publisher accessible data

• Unauthorized update, insert or delete access to some of BI Publisher accessible data.

• Unauthorized read access to a subset of BI Publisher accessible data

Oracle HTTP Server (OHS)

Product: Oracle HTTP Server, version 12.2.1.3.0

Subcomponent(s): Web Listener (curl)

Patch Number: 29407043

Vulnerability Details:

The supported version affected is 12.2.1.3.0. An easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

Successful attacks can result in:

• Takeover of Oracle HTTP Server

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released a security advisory update for Directory Services. 

To maintain the best possible security posture, please review this patch with your team.

For assistance with applying this patch, contact us. 

ForgeRock Directory Services 5.5.2

Component: Core Server

Security Advisory #201803: ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS / OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.

Release Notes for 5.5.2: ForgeRock maintenance releases provide fixes to existing bugs that improve functionality, security and performance for your DS deployment. No new features have been introduced. The release can be deployed as an initial deployment or used to upgrade from an existing version.

Vulnerability Details: The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.

Resolution: Update / upgrade to DS 5.5.2 or deploy the relevant patch bundle.