APEX ASSEMBLY: post-Pandemic Adaption with CTO Steve Giovannetti
Apex talks to Steve Giovannetti, the CTO and Founder of Hub City Media about AI in a post-pandemic world…
Apex talks to Steve Giovannetti, the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. Here, Steve discusses how he has been and continues to navigate the post pandemic landscape within ML/AI, Cloud, and more at Hub City Media!
Q: What are the roles and responsibilities of the CTO within your services organization?
A: In an organization like Hub City Media, I wear a few different hats. Ultimately, I’m asked to make decisions and research new Identity and Access management technologies and products nearly every day. More specific parts of my job include:
Looking at new products or services we might develop in house.
Researching and developing new technologies we can apply to our service delivery like devops, cloud or AI.
Coming up with creative solutions to client problems. One of the most common has been helping them deal with the challenges presented by COVID-19.
Q: What sorts of challenges did COVID-19 cause for your clients?
A: The most prevalent challenge was navigating from working in an office to having their entire staff working remotely. Most organizations had access infrastructure like VPNs in their office networks, but these infrastructures weren’t stressed like they were when their entire staff I started working from home. We helped our clients navigate through shoring up capacity, as well as implementing more secure remote access authentication technologies (like multi-factor authentication). This allowed them to connect securely to their on premise or even cloud Applications.
Q: Have you found new vendors for your organizations that are now needed in this time of COVID-19 and remote working?
A: Maybe not new vendors, but there certainly were existing strong authentication vendors that saw a jump in activity once companies wanted to grant more access to applications from remote locations. We saw colossal interest and activity with Access Management, multi-factor authentication and passwordless authentication.
Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?
A: Very early at the start of the pandemic, we saw some projects get put on hold; however, that
changed once companies resolved the remote access issue. Then, oddly enough, it was business as usual, and companies even started new initiatives on how to improve remote work. For example, we had one client ask us to help them completely automate their hiring process via their Identity Management system, which was only partially automated at the start of the pandemic.
Q: Where are you in the journey of utilizing hybrid cloud and DevOps? What challenges are you facing?
A: Hub City Media was a very early adopter of public cloud, and immediately grasped the importance of DevOps as a practice and as a set of technologies. We spearheaded early efforts to deploy Identity and Access Management systems using Docker and Kubernetes. That practice is quite mature now, and we are constantly improving our techniques. We’ve been doing a lot more with Infrastructure as Code and automating the provisioning of cloud services where we then deploy products. This has allowed us to decrease time to value for our clients, so we spend less time on infrastructure and more time delivering the functionality they are looking to leverage.
Q: Are you seeing more organizations deploying “Enterprise AI” to address Identity and Access Management or just security in general?
A: Yes. AI is becoming more prevalent in Identity and Access Management systems, especially in Identity Governance, where a lot of the burden is placed on members of an organization, specifically managers, to certify the access of their teams. This is a tremendously tedious task that can mostly be delegated to AI. We are also seeing the application of machine learning to deal with identity role engineering in large enterprises. This is another task where humans get overwhelmed in the data analysis to properly define birthright roles – a perfect task for Machine Learning.
Q: What is the current state of Big Data and AI investment? Do you sense the pace of Big Data and AI investment changing?
A: I see it accelerating in the Identity and Access Management sector. The new products on the market make it fairly easy to prove out value in a quick proof of concept. I would expect using AI for Identity Governance to become quite commonplace, and for it to extend to using AI/ML to make Access Management decisions in the future. That will be driven by analyzing access behaviors of users over time – again, an impossible task for a human to perform or even to codify rule sets in advance, but a perfect application of AI/ML.
Steve Giovannetti – CTO & Founder of Hub City Media
Steve Giovannetti is the CTO and Founder of Hub City Media, a software integration and development consultancy. Giovannetti has worked in information technology since 1988 and was creating commercial applications based on Internet technologies as early as 1995. He specializes in the analysis, design and implementation of distributed, multi-tier, applications, and heavily focuses on containerized solutions and running Identity in the cloud. Since 1999, Giovannetti and Hub City Media have been deploying production identity management, directory, and web access management systems for commercial, government and education customers.
Oracle Releases Quarterly Security Patch Updates - April 2021
Hub City Media advises all Oracle customers review these security vulnerabilities with their teams…
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Oracle WebLogic Server 10.3.6
Product: Oracle WebLogic Server 10.3.6.0.0
Subcomponent(s): TopLink Integration, Core, Console, Web Services
Patch Number: 32403651
Vulnerability Details: Both easily exploitable and difficult to exploit vulnerabilities allowing unauthenticated or high privileged attackers with network access via HTTP, HTTPS, T3, or IIOP to compromise Oracle WebLogic Server. Some successful attacks require human interaction from a person other than the attacker. While the vulnerability is in Oracle WebLogic Server these attacks could significantly impact other products.
Successful attacks can result in:
unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data
unauthorized read access to a subset of Oracle WebLogic Server accessible data
unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server
Java SE 7
Product: Java SE 7
Subcomponent(s): Libraries
Patch Number: 32464070
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Some of the attacks require additional human interaction but not all.
Successful attacks can result in:
unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data.
Oracle Solaris
Product: Oracle Solaris
Subcomponent(s): Kernel
Patch Number: 11.4.30.88.3
Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.
Successful attacks can result in:
Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris as well as unauthorized update, insert or delete access to some of Oracle Solaris accessible data.
Oracle Coherence
Product: Oracle Coherence
Subcomponent(s): Core
Patch Number: 32581736
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Coherence.
Successful attacks can result in:
Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data.
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.
Secret Double Octopus and Hub City Media Partner to Extend ForgeRock's Workforce Security to the Desktop
As an expert in IAM deployments, HCM will work to seamlessly integrate ForgeRock and SDO with client environments to secure enterprise assets - applications, desktop, mobile and more…
Secret Double Octopus (SDO), the leader in enterprise passwordless authentication, and winner of ForgeRock's Global Partner Award for Workforce Technology, is partnering with Hub City Media (HCM), an Identity and Access Management (IAM) consultancy and ForgeRock's 2020 Americas Partner of the Year.
HCM offers advisory and implementation services alongside managed cloud and support services across the globe for a wide range of industries. With over 20 years of IAM experience, HCM's extensive expertise in the industry continues to make them a leading partner for security platforms from leaders such as ForgeRock, Oracle and CyberArk.
SDO is revolutionizing workforce authentication with its Octopus Passwordless Enterprise™ technology, designed and built from the ground up for the unique requirements of complex enterprise infrastructure. The Octopus platform is to date the only enterprise-grade solution able to solve any authentication use-case, from the workstation to any app and service, in a simple and secure manner. Its seamless integration with ForgeRock's identity platform offers a novel plug-and-play desktop MFA for the entire workforce, and a clear path to becoming a passwordless enterprise.
As an expert in IAM deployments, HCM will work to seamlessly integrate ForgeRock and SDO with client environments to secure enterprise assets - applications, desktop, mobile and more. Passwordless Authentication enhances workforce security while providing a frictionless user experience.
"We see a large amount of workforce IAM deployments, and this has become a focus for us over the years," said Phillippe Monrougie, CEO of Hub City Media. "Secret Double Octopus has a similar focus, and has created a desktop authentication product that is the perfect fit for ForgeRock clients, and optimizes their platform. With HCM and SDO as key partners for ForgeRock, it was a great opportunity to go to market together."
"We are thrilled to partner with Hub City Media and help more ForgeRock users simplify security for their employees," said Raz Rafaeli, CEO and co-founder, Secret Double Octopus. "By providing a seamlessly integrated desktop MFA, and universal passwordless authentication across the enterprise, HCM and Secret Double Octopus enable companies to make the most out of their ForgeRock deployments. This new partnership will help IT and security managers in making their employees much happier and their domain dramatically more secure."
Learn More:
www.doubleoctopus.com
www.hubcitymedia.com
See original Press Release from PR Newswire
Oracle Releases Quarterly Security Patch Updates - January 2021
Hub City Media advises all Oracle customers review these security vulnerabilities with their teams…
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Java SE 7
Product: Java SE 7
Subcomponent(s): Libraries
Patch Number: 13079846
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks can result in:
Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
Java SE 8
Product: Java SE 8
Subcomponent(s): Libraries
Patch Number: 18143322
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks can result in:
Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
Oracle BI Publisher 11.1.1.9.0, 12.2.1.3.0
Product: Oracle BI Publisher 11.1.1.9.0, Oracle BI Publisher 12.2.1.3.0
Subcomponent(s): Administration, BI Publisher Security, E-Business Suite - XDO, Web Server
Patch Number: 32310890 (11.1.1.9.0), 32294042 (12.2.1.3)
Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products.
Successful attacks can result in:
Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data
Unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data
Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle BI Publisher
Oracle WebLogic Server 10.3.6
Product: Oracle WebLogic Server 10.3.6.0.0
Subcomponent(s): Web Services, Core Components, Samples, Console, Console (Apache Common Beanutils), Sample Apps (Spring Framework)
Patch Number: 32052267, 32134024
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated, low privilege, or high privilege attackers with network access via HTTP, or IIOP/T3 to compromise Oracle WebLogic Server.
Difficult to exploit vulnerability allows a low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.
Successful attacks can result in:
Takeover of Oracle WebLogic Server.
Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data.
Unauthorized read access to a subset of Oracle WebLogic Server accessible data.
Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.
Oracle WebLogic Server 12.2.1.3
Product: Oracle WebLogic Server 12.2.1.3
Subcomponent(s): Core Components (Connect2id Nimbus JOSE+JWT), Core Components, Samples, Console (Apache Commons Beanutils), Console, Sample Apps (Spring Framework), Sample Apps (jQuery), Centralized Thirdparty Jars (Google Guava)
Patch Number: 32300397, 32148634
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated, low privileged, and high privileged attackers with network access via HTTP, or IIOP/T3 to compromise Oracle WebLogic Server.
Difficult to exploit vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.
Successful attacks can result in:
Takeover of Oracle WebLogic Server.
Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data.
Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data.
Unauthorized read access to a subset of Oracle WebLogic Server accessible data.
Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.
Hub City Media and ForgeRock Sweeten the Day for Arizona Healthcare Heroes on Giving Tuesday
Hub City Media and ForgeRock have joined together to give back to local healthcare heroes to show how much they are appreciated today and every day…
December 1, 2020
Hub City Media, an identity and access management consultancy, and ForgeRock®, the leading provider in digital identity, are honoring Phoenix Metro Area healthcare workers on this Giving Tuesday by hand-delivering sweet treats to several area hospitals, including HonorHealth, Dignity Health, Redirect Health and Banner Health. The companies have joined together to give back to local healthcare heroes to show how much they are appreciated today and every day.
“Our mission at ForgeRock is to help people safely and simply access the connected world,” said Mark Rosato, healthcare client director, ForgeRock. “We’ve seen our healthcare customers work tirelessly to treat the most acute cases in person and find new ways of connecting to patients remotely. We’ve been inspired by the organizations we’ve partnered with to keep communities healthy and we felt it was our turn to do something special for them on Giving Tuesday.”
“The medical community has sacrificed so much this year. We’re happy to provide a little sweetness to these healthcare heroes who continue to make a difference every day,” added Kimberly Stanfel, account director, Hub City Media.
Giving Tuesday was established as a day for people around the world to give back to their local communities. Hub City Media and ForgeRock are thrilled to be able to kick off the holiday season by showing gratitude for the ongoing efforts of the Phoenix area hospitals who are the recipients of this grassroots initiative. There are so many more people we want to shower with our appreciation, so to every healthcare worker across the globe – thank you and you rock!
You can follow our journey to each hospital by following ForgeRock, Hub City Media and #ForgeRockGives on Twitter, LinkedIn, Instagram and Facebook.
About Hub City Media
An identity and access management consultancy, and ForgeRock’s Americas Partner of the Year for 2020, Hub City Media offers advisory and implementation services, managed cloud and support services and simple, powerful, easy to integrate products. Our comprehensive U.S. based organization is equipped to partner with clients in every global location and time zone.
Thank you to Andrea at CookiesByDesign on McDonald Street for making these delicious treats!
Oracle Releases Quarterly Security Patch Updates - October 2020
Hub City Media advises all Oracle customers review these security vulnerabilities with their teams…
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Java SE 7
Subcomponent(s): Hotspot, JNDI, Libraries, Serialization
Patch Number: 13079846
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.
Successful attacks can result in:
unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded
Java SE 8
Subcomponent(s): Hotspot, JNDI, Libraries, Serialization
Patch Number: 18143322
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.
Successful attacks can result in:
unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded
WebLogic Server 12.2.1.3
Subcomponent(s): Centralized Thirdparty Jars, Console, Core, Web Services, jQuery
Patch Number: Patchset 31961038
Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3 to compromise Oracle WebLogic Server. Some successful attacks would require human interaction from someone other than the attacker to be successful. While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability.
Successful attacks can result in:
takeover of Oracle WebLogic Server
unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
unauthorized creation, insert, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as
unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
WebLogic Server 10.3.6
Subcomponent(s): Console, Core, jQuery, Apache Log4j
Patch Number: Patchset: 31641257
Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3 to compromise Oracle WebLogic Server. Some successful attacks would require human interaction from someone other than the attacker to be successful. While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability. There is another difficult to exploit vulnerability that allows for an unauthenticated attacker with network access via SMTPS to compromise Oracle WebLogic Server.
Successful attacks can result in:
takeover of Oracle WebLogic Server
unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data
unauthorized read access to a subset of Oracle WebLogic Server accessible data
Oracle Access Manager 11.1.2.3.0
Subcomponent(s): Web Server Plugin (RSA BSafe)
Patch Number: 31710235
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Access Manager
Successful attacks can result in:
Takeover of Oracle Access Manager
Oracle BI Publisher 12.2.1.3.0
Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service, BI Publisher Security (jQuery)
Patch Number: 31690029
Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.
Successful attacks can result in:
Complete access to all BI Publisher accessible data
Unauthorized update, insert, and/or delete access to some BI Publisher accessible data
Unauthorized read access to a subset of BI Publisher accessible data
Oracle BI Publisher 11.1.1.9.0
Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service
Patch Number: 31943269
Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.
Successful attacks can result in:
Complete access to all BI Publisher accessible data
Unauthorized update, insert, and/or delete access to some BI Publisher accessible data
Unauthorized read access to a subset of BI Publisher accessible data
Oracle Solaris 11.4
Subcomponent(s): Pluggable authentication module, Kernel, Filesystem, Utility
Patch Number: 11.4.26.75.4
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Easily exploitable vulnerability allows low privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Difficult to exploit vulnerability allows low privileged attackers with network access via SSH to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.
Successful attacks can result in:
the takeover of Oracle Solaris
unauthorized access to critical data or complete access to all Oracle Solaris accessible data
unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris
unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris
unauthorized update, insert or delete access to some of Oracle Solaris accessible data
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.
Oracle Releases Quarterly Security Patch Updates - July 2020
Hub City Media advises all Oracle customers review these security vulnerabilities with their teams…
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Oracle BI Publisher 11.1.1.9.0
Subcomponent(s): Mobile Service, Layout Templates
Patch Number: 31525202
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.
Successful attacks can result in:
Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.
Oracle BI Publisher 12.2.1.3.0
Subcomponent(s): Mobile Service, Layout Templates, BI Publisher Security
Patch Number: 31525202, 31178889
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.
Successful attacks can result in:
Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.
Oracle Solaris
Subcomponent(s): Kernel, Operating System Image, Packaging Scripts,libsuri, Device Driver Utility,
Patch Number: 11.4.23.69.3
Vulnerability Details:
Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.
Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Solaris.
Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle ZFS Storage Appliance Kit.
Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.
Successful attacks can result in:
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris
Unauthorized read access to a subset of Oracle Solaris accessible data
Takeover of Oracle ZFS Storage Appliance Kit
Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data
Takeover of Oracle Solaris
Oracle Unified Directory 11.1.2.3.0
Subcomponent(s): Security
Patch Number: 31541461
Vulnerability Details: Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle Unified Directory. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Unified Directory, attacks may significantly impact additional products.
Successful attacks can result in:
Unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Unified Directory
WebLogic Server 10.3.6
Subcomponent(s): Security Service, Core, Console, Log4j, Web Container, Web Services
Patch Number: Patchset: 31178492, ADR Patch: 31241365
Vulnerability Details: Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP, or T3 to compromise Oracle WebLogic Server. Some attacks require human interaction and this variety of attack may significantly impact other products despite the vulnerability being in WebLogic Server. Attackers exploiting these vulnerabilities have confidentiality, integrity and availability impacts.
Successful attacks can result in:
Takeover of WebLogic Server
Unauthorized creation, deletion or modification access to all Oracle WebLogic Server accessible data
Unauthorized read access to a subset of Oracle WebLogic Server accessible data.
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)
Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data
WebLogic Server 12.2.1.3
Subcomponent(s): Centralized Thirdparty Jars (jackson-databind), Security Service, Core, Centralized Thirdparty Jars (Log4j), Console (Log4j), Web Container, Sample apps, Web Services
Patch Number: Patchset: 31535411, ADR Patch: 31544340
Vulnerability Details: Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP, T3 to compromise Oracle WebLogic Server. Attackers exploiting these vulnerabilities can cause the system to have confidentiality, integrity and availability impacts. Attacks exist that require human interaction however for these attacks despite the vulnerability being in WebLogic Server the attack could significantly impact other available products. Difficult to exploit vulnerabilities that require human interaction which allows an unauthenticated attacker via HTTP to compromise WebLogic Server. Vulnerabilities of this type also have confidentiality, integrity, and availability impacts.
Successful attacks can result in:
Takeover of Oracle WebLogic Server
Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data
Unauthorized read access to a subset of Oracle WebLogic Server accessible data
Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)
Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data
Java SE 7
Subcomponent(s): Libraries, 2D, JAXP, JSSE
Patch Number: 13079846
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Attacks of these varieties have confidentiality, integrity and availability impacts.
Successful attacks can result in:
Takeover of Java SE, Java SE Embedded
Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data
Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
Unauthorized ability to cause a partial denial of service (partial DOS)
Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
Java SE 8
Subcomponent(s): Libraries, 2D, JAXP, JSSE
Patch Number: 18143322
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Attacks of these varieties have confidentiality, integrity and availability impacts.
Successful attacks can result in:
Takeover of Java SE, Java SE Embedded
Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data
Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
Unauthorized ability to cause a partial denial of service (partial DOS)
Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.
Hub City Media partners with Onfido to provide identity verification services to enterprise clients
Hub City Media will resell and distribute Onfido’s identity verification and authentication services integrated with a number of their existing identity solutions including ForgeRock’s modern identity platform…
Onfido, the global identity verification and authentication provider, today announced a partnership with Hub City Media, an Identity and Access Management (IAM) consultancy and ForgeRock’s 2020 America’s Partner of the Year. An expert in technology integrations for IAM customers, Hub City Media will resell and distribute Onfido’s identity verification and authentication services integrated with a number of their existing identity solutions including ForgeRock’s modern identity platform.
Hub City Media offers advisory and implementation services alongside managed cloud and support services across the globe for a wide range of industries. With over 20 years of IAM experience, Hub City Media’s extensive and growing expertise in the industry continues to make them a leading partner for many access management platforms from leaders such as ForgeRock, Oracle and CyberArk.
Onfido’s award-winning Identity Verification service enables document first onboarding, binding a physical human with their digital credentials with just a picture of a government ID and a selfie with 98.7% of fraud detected. To achieve this, Onfido uses the best combination of human analysts and machine learning to check for data consistency across the ID, performing image analysis, and detecting anomalies in fonts.
By integrating Onfido’s technology, CIAM customers can reduce abandonment rates caused by complex registration forms and create trust with their customers as soon as they are onboarded, providing a more personalized and consistent experience across all their business units. For high-risk transactions or ongoing authentication (for example, money transfers or password resets), a self-service step-up verification / authentication is available that requests a customer selfie which is then matched against the document used to register.
“As a trusted provider of IAM solutions for a number of the largest companies in the world, we only partner with companies offering the most robust and scalable solutions and Onfido fits that bill,” said Phillippe Monrougie, CEO of Hub City Media. “Its identity verification solution is second to none providing the best user experiences, fraud detection and simplest integrations we’ve seen, making Onfido an easy proposition for our clients.”
“Having the right technology partners that know our identity solution and the value it brings to IAM architectures is critical for our continued expansion into the enterprise market,” said Husayn Kassai, CEO and Cofounder at Onfido. “Hub City Media is one of those partners that immediately understood the value of our solution and with our existing ForgeRock integration, made them a natural fit.”
Onfido covers over 4,500 ID document types across 195 countries, detecting anomalies automatically, while using human experts to verify outliers.
About Onfido
Onfido is the new standard for digital access. The company uses AI to verify any photo ID and then compares it with the person’s facial biometrics. This use of AI means that businesses no longer need to compromise on customer experience, conversion, privacy or security.
Recognized as a global leader in artificial intelligence for identity verification and authentication, Onfido is backed by TPG Growth, Crane Venture Partners, Salesforce Ventures, M12 - Microsoft’s venture fund, and others. With approximately 400 employees spread across seven countries, Onfido has raised $200m in funding and powers digital access for some of the world’s largest companies.
www.linkedin.com/company/onfido/
About Hub City Media
Founded in 1999 and headquartered in South Plainfield, New Jersey, Hub City Media is a software integrator specializing in sophisticated Identity and Access Management cloud and on-premise solutions, Managed Support Services and custom software development and integrations. Hub City Media provides fully customizable Professional Services and 24 / 7 / 365 Managed Support Services tailored to the specific needs of each organization, with the ability to partner with clients in every global location and time zone.
Oracle Releases Quarterly Security Patch Updates - April 2020
Hub City Media advises all Oracle customers review these security vulnerabilities with their teams…
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Oracle Solaris 11
Subcomponent(s): SMB Server Kernel Module, Operating System Image, jQuery, Oracle WebLogic Server, SMF command svcbundle, Whodo, Common Desktop Environment
Patch Number: 31009799
Vulnerability Details: Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Sun ZFS Storage Appliance Kit executes to compromise Sun ZFS Storage Appliance Kit. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise StorageTek Tape Analytics SW Tool. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in StorageTek Tape Analytics SW Tool, attacks may significantly impact additional products.
Successful attacks can result in:
Takeover of Oracle Solaris, Sun ZFS Storage Appliance Kit, StorageTek Tape Analytics SW Tool
Unauthorized update, insert or delete access to some of StorageTek Tape Analytics SW Tool accessible data as well as unauthorized read access to a subset of StorageTek Tape Analytics SW Tool accessible data
Unauthorized read, update, insert or delete access to some of Oracle Solaris accessible data
WebLogic Server
Subcomponent(s): Console, Core, WLS Web Services, Management Services,
Patch Number: 30857748
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server. Easily exploitable vulnerability allows high privileged attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server. Unauthenticated attackers with network access via HTTP can compromise Oracle WebLogic Server with human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Attacks exploiting these vulnerabilities can result in system confidentiality, integrity and availability impacts and have the following detrimental effects.
Successful attacks can result in:
Takeover of Oracle WebLogic Server.
Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.
Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data
Unauthorized read access to a subset of Oracle WebLogic Server accessible data.
Java SE
Subcomponent(s): Libraries, JSSE, Concurrency, Lightweight HTTP Server, Security, Serialization
Patch Number: 13079846
Vulnerability Details: Vulnerabilities of varying difficulties allowing unauthorized and highly privileged attackers via multiple network protocols, T3, and HTTPS, to compromise Java SE and Java SE Embedded. Vulnerability is in Java SE and Java SE embedded however attacks may significantly impact additional products. Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have a variety of detrimental effects.
Successful attacks can result in:
● Takeover of Java SE, Java SE Embedded.
● Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.
● Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
● Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.
Oracle HTTP Server
Subcomponent(s): Web Listener
Patch Number: 31047338
Vulnerability Details: Easily exploitable vulnerabilities allows unauthenticated attackers with network access via HTTP to compromise Oracle HTTP Server. Attacks can require human interaction from a person other than the attacker, or occur with a solo unauthenticated attacker. Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have the following detrimental effects.
Successful attacks can result in:
● Takeover of Oracle HTTP Server
● Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data
● unauthorized read access to a subset of Oracle HTTP Server accessible data.
Oracle Access Manager
Subcomponent(s): Federation, Authentication Engine, SSO Engine
Patch Number: 30609442
Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Access Manager. Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks of both types require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products. Attacks exploiting these vulnerabilities confidentiality, integrity, and availability impacts and the following detrimental effects.
Successful attacks can result in:
● Unauthorized update, insert or delete access to some of Oracle Access Manager accessible data
● Unauthorized read access to a subset of Oracle Access Manager accessible data
● Unauthorized ability to create partial Denial of Service
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.
Hub City Media Recognized as ForgeRock's Americas Partner of the Year!
Hub City Media, thought-leaders in the Identity and Access Management (IAM) space, was honored with the ForgeRock Americas Partner of the Year award for 2020…
Hub City Media Recognized as ForgeRock's Americas Partner of the Year!
Hub City Media, thought-leaders in the Identity and Access Management (IAM) space, was honored with the ForgeRock Americas Partner of the Year award for 2020.
Hub City Media offers advisory and implementation services alongside managed cloud and support services across the globe for a wide range of industries. With over 20 years of IAM experience, Hub City Media’s extensive and ever growing expertise in the industry continues to make them a leading partner for ForgeRock’s modern Identity platform.
"We are very excited to recognize Hub City Media as our Partner of the Year,” said Mark Francetic, Vice President - Alliances and Channels Sales at ForgeRock. “They are a go-to Partner for our customers and our sales teams nationally, and very much deserve this award.”
With a staff fully committed to ForgeRock Identity and Access Management (IAM) technology, Hub City Media provides valuable insight and recommendations resulting in their client’s success and increased return on investment.
“Partnering with ForgeRock in 2015 was an easy decision, and since then, the partnership has exceeded every expectation,” said Philippe Monrougie, CEO of Hub City Media. “Every single person at our organization has played an integral role in making this award possible - our people are our most valuable differentiator.”
For more information about Hub City Media, please visit www.hubcitymedia.com or contact marketing@hubcitymedia.com
Oracle Releases Quarterly Security Patch Updates - January 2020
Hub City Media advises all Oracle customers review these security vulnerabilities with their teams…
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Oracle Identity Manager (OIM)
Product: Oracle Identity Management
Subcomponent(s): Advanced Console
Patch Number: 30338509
Vulnerability Details: Supported versions affected are 11.1.2.3.0 and 12.2.1.3.0. An easily exploitable vulnerability allows a low privileged attacker with network access via HTTP to compromise Identity Manager.
Successful attacks can result in:
Unauthorized update, insert or delete access to some of Identity Manager’s accessible data
Unauthorized read access to a subset of Identity Manager accessible data
WebLogic Server
Product: Oracle Weblogic Server
Subcomponent(s): WLS Core Components, Application Container - Java EE, Console
Patch Number: 30463097 - Estimated Availability January 31, 2020
Vulnerability Details: Easily exploitable vulnerabilities that allow an unauthenticated attacker with network access via IIOP or T3 to compromise Oracle WebLogic Server. Easily exploitable vulnerabilities that allow a high privileged attacker with network access via HTTP or a logon to the infrastructure where Weblogic Server executes to compromise Oracle WebLogic Server. Some vulnerabilities require human interaction, and while these the vulnerability is in Oracle Weblogic Server attacks might significantly impact additional products.
Successful attacks can result in:
Takeover of Weblogic Server
Unauthorized access to critical data or complete access to all accessible data
Unauthorized update, insert, or delete access to Weblogic accessible data
Unauthorized read access to subset of Weblogic accessible data
Unauthorized ability to cause partial denial of service
Java SE
Product: Java SE
Subcomponent(s): Serialization, Security, Networking, Libraries
Patch Number: 13079846
Vulnerability Details:
This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.
Successful attacks can result in:
Attacker takeover of Java SE
Unauthorized complete manipulation of Java accessible data, including access, write, delete, and modify
Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE
Unauthenticated attacker with network access via Kerberos to compromise Java SE
Oracle HTTP Server
Product: Oracle Fusion Middleware
Subcomponent(s): OSSL Module, Web Listener
Patch Number: 30654519
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP Server and allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.
Successful attacks can result in:
Partial DOS of the HTTP Server
Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data as well as unauthorized read access to a subset of Oracle HTTP Server accessible data
Oracle Solaris
Product: Oracle Solaris 11
Subcomponent(s): Consolidation Infrastructure,Filesystem,Kernel,X Window System,SMB Server
Patch Number: 30681152, 30681156
Vulnerability Details: Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMB to compromise Oracle Solaris
Successful attacks can result in:
Takeover of Oracle Solaris
Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris.
Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris
BI Publisher
Product: Oracle Business Intelligence Enterprise Edition
Subcomponent(s): Analytics Server and Analytics Web General (OpenSSL)
Patch Number: 30677050
Vulnerability Details:
Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Business Intelligence Enterprise Edition.
Successful attacks can result in:
Unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.
Hub City Media Expands to Rossville, IL!
We’re thrilled to announce that we’ve opened an office in Rossville, IL!
Stay tuned for more updates and the latest on on Rossville office!
ForgeRock and Hub City Media Dive into UMA and Healthcare Modernization
In this webinar, Eve Maler of ForgeRock and Steve Giovannetti of Hub City Media take a deep dive into UMA and IAM Modernization in Healthcare. Watch the replay…
Patient and Member Journeys Matter!
Building Superior Experiences in Connected Health, IoT and Data Sharing
Today, it is essential for healthcare organizations to provide users:
Access to consolidated medical records
Control over health data-sharing
The ability to leverage valuable IoT device data
The ability to manage care coverage transitions
Your patients and members expect active and personalized involvement in their own health outcomes using a variety of digital channels. To offer them the best possible health data protection, you need to support state-of-the-art Identity and Access Management (IAM) technologies and techniques.
In this webinar, you will learn about:
Health IoT and data-sharing best practices
Connected-health user journeys
Standards for patient-centric health data-sharing
How to modernize IAM to avoid healthcare security missteps
Watch the replay!
ABOUT THE SPEAKERS:
Eve Maler is a renowned strategist, innovator and communicator on digital identity, access, security and privacy, with particular focus on creating successful wide-scale ecosystems and fostering individual empowerment. Eve drives Identity Relationship Management innovation for the ForgeRock Identity Platform; she also directs ForgeRock’s involvement in related industry standards, particularly for access control and privacy, to which end she leads the User-Managed Access (UMA) standards effort.
Steve Giovannetti is the CTO and Founder of Hub City Media, an Identity and Access Management consultancy specializing in IAM implementations, product development and support services. Giovannetti has been working in Identity since 1999 with a heavy focus on containerized solutions and running IAM in the cloud. For more information, visitwww.hubcitymedia.com.
Hub City Media Teams with CyberArk - #1 in Privileged Access Security
Hub City Media partners with CyberArk, the global leader in the Privileged Access Security…
Hub City Media has teamed with CyberArk, the global leader in the Privileged Access Security, to deliver innovative cybersecurity solutions to reduce risk across an expanding attack surface.
As the Privileged Access Security pioneer, CyberArk enables Hub City Media to deliver a complete Identity and Access Management (IAM) portfolio to improve compliance and reduce risk. With CyberArk, Hub City Media is now a one-stop shop for comprehensive IAM solutions.
We are proud to join the CyberArk Partner Network!
Hub City Media featured on latest Ask TOM talk by Oracle
Database Authentication was the focus of July’s Office hours at Oracle…
Database Authentication was the focus of July’s Office hours at Oracle. Hub City Media's Jud Williford discussed different types of authentication, contrasted benefits and implementation requirements, and talked through a demo of our Multi-factor Authentication product for Oracle.
Check out the replay!
Jud Williford leads the Database Security practice at Hub City Media. He previously worked for 30 years at Fedex as a DBA and IT Architect, ultimately responsible for database security processes and annual attestations before external auditors.
July 2019: ForgeRock Releases Security Patch Updates
Hub City Media advises all ForgeRock customers review these security vulnerabilities with their teams…
As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
AM Web Agents
Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0
Subcomponent(s): Web Agent
Issue Number(s): 201902-01, 201902-03, 201902-04
Vulnerability Details:
These vulnerabilities allow:
AM Web Agents to be started with misconfigured notifications, which will give revoked sessions the ability to access protected resources
AM Web Agent heap memory to be extracted by a local attacker, exposing sensitive information
Mishandled String operations to potentially crash the AM Web Agent
These vulnerabilities are resolved in AM Web Agent version 5.6.1.0
AM Java Agents
Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0
Subcomponent(s): Java Agent, jackson-databind 2.x
Issue Number(s): 201902-02
Vulnerability Details:
These vulnerabilities allow:
A remote user to access local files through an issue with Polymorphic Typing in FasterXML jackson-databind 2.x before 2.9.9
These vulnerabilities are resolved in AM Java Agent version 5.6.1.0
AM/OpenAM
Product: AM versions 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1
OpenAM versions
Subcomponent(s): AM/OpenAM Core Server
Issue Number(s): 201901-01, 201901-02, 201901-03, 201901-04, 201901-05, 201901-06, 201901-07, 201901-08
Vulnerability Details:
These vulnerabilities allow:
A man-in-the-middle attack to be performed on AM/OpenAM Core Server through certain configurations of OAuth2 clients
Policies to be created for unentitled resources through a bug in access control
Takeover of AM/OpenAM Core Server through a cross-site scripting attack
Server certificates to be incorrectly configured due to TLS hostname verification being disabled by default on some services
Authentication to be bypassed in certain SAML session upgrade scenarios
An attacker to redirect an end user to a site they control through Agent based CDSSO not correctly validating redirect URLs
Memory account lockout to fail to work
Redirect URLs to be unvalidated through improper error handling by OAuth2
These vulnerabilities are resolved in versions 6.5.0.2 or 6.0.0.7 depending on your current version of AM/OpenAM.
WEBINAR SERIES - Modernization of IAM: Ensuring your system is future-proof
Join ForgeRock and Hub City Media for a two-part webinar series to learn exactly how much value a modern IAM platform can bring to your organization…
ForgeRock and Hub City Media co-host a two-part webinar series on IAM Modernization
Part 1: Migrating to a Modern IAM Platform - Long-term Value and Risks
Legacy IAM vs. Modern IAM - Should you stay or should you go?
Capabilities comparison
Keeping pace with current market demands
Preview of what a modern IAM deployment looks like
Short-term and long-term benefits of modernizing IAM
Potential roadblocks to consider and how to overcome them
Watch Part 1
Part 2: Moving off of a Legacy System - How to migrate successfully
Learn how to make migrating IAM systems seamless, and the best strategies to consider for deployment.
Parallel Deployments vs. Coexistence vs. Rip-and-Replace: Which method makes sense for your organization? What are the pros and cons of each?
How to migrate efficiently, successfully and securely
Why migrating a wide variety of applications can be a roadblock, and how to overcome it
Use Case Spotlight - Successful client journeys
Watch Part 2
Learn the true value of modernizing your IAM platform, and ensure your system is future proof with this series!
HCM to Run Live Demos at ForgeRock's Identity Live in Nashville
Hub City Media to host a demo booth this year at ForgeRock's Identity Live in Nashville…
Hub City Media will be hosting a demo booth during Identity Live in Nashville, and is inviting all attendees to stop by to check out live demos of Governance 2.5. New features include an Enhanced User Interface, and Entitlement Glossary and OIDC integration.
As a proud ForgeRock partner, we're excited to have the opportunity to showcase the Governance product we've built directly on top of the ForgeRock Identity Platform. It's important we show Summit-goers how Governance can help their business with compliance needs, as well as the appropriate access and roles of their employees and customers. Most importantly, it can be deployed in the cloud with ForgeRock, and it’s very easy to install and run.
We hope to see you there!
April 2019: Oracle Releases Quarterly Security Patch Updates
Hub City Media advises all Oracle customers review these security vulnerabilities with their teams…
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Java SE
Product: Oracle Java SE
Component(s): RMI, Libraries, 2D
Patch Number: 13079846
Vulnerability Details:
This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.
Successful attacks can result in:
Attacker takeover of Java SE
Ability to cause hangs or complete crashes of Java SE
Unauthorized complete manipulation of Java accessible data, including access, write, delete and modify.
Solaris
Product: Oracle Solaris
Component(s): IPS Package Manager, SunSSH, File Locking Services
Patch Number: 11.3.36.10.0
Vulnerability Details:
This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols (including logon access) to compromise Oracle Solaris.
Successful attacks can result in:
Unauthorized read access to Solaris file systems
Partial Denial of Service (DoS)
Unauthorized complete manipulation of Solaris accessible data, including access, write, delete and modify
SOA
Product: Oracle SOA Suite
Component(s): Fabric Layer
Patch Number: 29625018
Vulnerability Details:
This patch update corrects vulnerabilities that allow unauthorized read access to a subset of Oracle SOA as well as grant an unauthenticated attacker with network access, via HTTP, the ability to compromise Oracle SOA.
Successful attacks can result in:
Unauthorized Read access to Oracle SOA data
Unauthenticated Attacker can compromise Oracle SOA
Weblogic
Product: Oracle Weblogic Server
Component(s): WLS Core Components, EJB Container, WLS Core Components
Patch Number: 27820719
Vulnerability Details:
This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through HTTP and T3 to compromise Oracle Weblogic Server.
Successful attacks can result in:
A takeover of Oracle WebLogic Server
BI Publisher (formerly XML Publisher)
Product: BI Publisher, version 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0
Subcomponent(s): BI Publisher Security
Patch Number: 29492717
Vulnerability Details:
Easily exploitable vulnerability allows unauthenticated, high or low attacker with network access via HTTP to compromise BI Publisher. This vulnerability may impact additional products.
Successful Attacks can result in:
Unauthorized access to critical data or complete access to all BI Publisher accessible data
Unauthorized access to critical data or complete access to all BI Publisher accessible data
Unauthorized update, insert or delete access to some of BI Publisher accessible data.
Unauthorized read access to a subset of BI Publisher accessible data
Oracle HTTP Server (OHS)
Product: Oracle HTTP Server, version 12.2.1.3.0
Subcomponent(s): Web Listener (curl)
Patch Number: 29407043
Vulnerability Details:
The supported version affected is 12.2.1.3.0. An easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.
Successful attacks can result in:
Takeover of Oracle HTTP Server
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.
ForgeRock Releases Directory Services Security Advisory
Hub City Media advises all ForgeRock clients review this security vulnerability with their team…
As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released a security advisory update for Directory Services.
To maintain the best possible security posture, please review this patch with your team.
For assistance with applying this patch, contact us.
ForgeRock Directory Services 5.5.2
Component: Core Server
Security Advisory #201803: ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS / OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.
Release Notes for 5.5.2: ForgeRock maintenance releases provide fixes to existing bugs that improve functionality, security and performance for your DS deployment. No new features have been introduced. The release can be deployed as an initial deployment or used to upgrade from an existing version.
Vulnerability Details: The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.
Resolution: Update / upgrade to DS 5.5.2 or deploy the relevant patch bundle.