As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE

Component: Oracle Java SE 7

Sub-Component(s): Hotspot, JDNI, JSSE, Sound, Deployment(libpng), Security, Networking

Patch Number: 13079846

Vulnerability Details:

This Critical Patch Update contains 12 new security fixes for Oracle Java SE. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some vulnerabilities are easily exploitable, and most allow an unauthenticated attacker with network access, via multiple protocols, the ability to compromise Java. Some vulnerabilities require human interaction from a person other than the attacker and while the vulnerabilities are in Java SE, attacks may significantly impact additional products.

Successful attacks can result in:

• Partial Denial of Service of Java SE

• Unauthorized update, insert or delete access to some of Java SE

• Takeover of Java SE

WebLogic Server

Component: Oracle WebLogic Server (version 10.3.6.0)

Sub-Component: WLS Core, sample apps (Spring Framework), WLS Web Services, Console

Patch Number: 28343311

Vulnerability Details:

Easily exploitable vulnerabilities allow an unauthenticated attacker with network access via HTTP or T3 to compromise Oracle WebLogic Server. Successful exploitation of these vulnerabilities can result in takeover of Oracle WebLogic Server.

Oracle HTTP Server

Component: Oracle HTTP Server (version 12.2.1.3)

Sub-Component: Web Listener (curl)

Patch Number:  28281599

Vulnerability Details:

This difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle HTTP Server.

Oracle Identity Manager

Component: Oracle Identity Manager (versions 11.1.2.3.0 and 12.2.3.1.0)

Sub-Component: Installer (jackson-databind)

Patch Number: 28768324

Vulnerability Details:

This critical patch contains an important fix to a recently discovered vulnerability in Oracle Identity Manager. The vulnerability allows an attacker with HTTP access to the network to compromise OIM. Attacks can allow unauthorized read-access to a subset of Oracle Identity Manager accessible data, as well as the ability to cause partial denial of service of Oracle Identity Manager.

BI Publisher

Component: BI Publisher (versions 11.1.1.7.0, 11.1.1.9.0)

Sub-Component: BI Publisher Security (Apache Log4j)

Patch Number: 28632415 and 28632479 respectively

Vulnerability Details:

This critical patch contains a fix to an exploitable vulnerability. This issue allows an attacker to compromise Oracle Business Intelligence Publisher though the network via HTTP access. A successful attack would result in the takeover of Oracle Business Intelligence Publisher.

JRockit

Component: JRockit (version R28.3)

Sub-Components: Scripting, JNDI, JSEE, Sound

Patch Number: 28414796

Vulnerability Details: JNDI

This critical patch contains a fix to difficult to exploit vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Jrockit. Some attacks require human interaction from a person other than the attacker. Attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of JRockit

• Partial denial of service to JRockit

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

Hub City Media attended Oracle OpenWorld in San Francisco in October, and had valuable discussions about Cloud, Database Security and Identity.

We’d be happy to meet to recap the conference and discuss how we can ensure success for your Oracle IAM environment.

Looking forward to next year!

That’s a wrap on our three part series on Containerized IAM! Watch the replay of # 3 below:



AUDIENCES EXPERIENCED: 

• Lessons learned from running the ForgeRock Platform in the cloud

• Benefits and challenges of choosing containerized IAM in the cloud

• How Kubernetes impacts operations

• CI/CD pipeline: How this changes configuration, ongoing development, patching and upgrades

• Plus: We’ll take you beyond AWS and discuss alternative approaches to containerized deployment.

Speakers Wajih Ahmed, Senior Director of Global Advanced Customer Engineering at ForgeRock and Steve Giovannetti, CTO & Founder of Hub City Media delved into how you can deploy using this model. 

That's a wrap on Webcast #2! Even though it's over, you can still watch the replay here.

Audiences experienced an in depth review of: 

• Assets and processes needed to containerize ForgeRock

• Architecture and processes guiding containerized IAM on Amazon Web Services

• How containers are deployed into Kubernetes

• Monitoring and management strategies

• Continuous integration configuration

BONUS: A demonstration of a deployment of ForgeRock into Kubernetes

Speakers Warren Strange, Engineering Director at ForgeRock and Steve Giovannetti, CTO & Founder of Hub City Media 

That's a wrap on Webcast #1! Even though it's over, you can still watch the replay here.

Audiences discovered how running your IAM on AWS gives you the exact solution that you want with the operational model of a SaaS.  

July 18, 2:00-3:00pm EST

ForgeRock and Hub City Media have partnered together to deploy flexible and scalable IDaaS solutions using:

• Docker (containerization)

• Kubernetes (orchestration)

AUDIENCES LEARNED: 

• Why AWS is a powerful environment for running containerized IAM solutions and how it can meet all of your business needs

• How ForgeRock is leveraging Docker (containerization) and Kubernetes (orchestration) to prepare their platform for the cloud

• Why clients are choosing this path and how they’re using containerization today to reduce costs and implement complex use cases in the cloud

Speakers Warren Strange, Engineering Director at ForgeRock and Steve Giovannetti, CTO & Founder of Hub City Media to explained how you can deploy using this model. 

Don’t fear the move from on-premise Identity to the cloud. 

Don’t settle for an Identity solution that is anything less than exactly what you need. 

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Component: Oracle Java SE 7
Sub-Component(s): Hotspot, Security, AWT, Concurrency, JAXP, JMX, Serialization, RMI
Patch Number: 13079846
 
Vulnerability Details: 
There were 11 new vulnerabilities discovered in Java 7. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some vulnerabilities are easily exploitable, and most allow an unauthenticated attacker with network access via multiple protocols the ability to compromise Java. Some vulnerabilities require human interaction from a person other than the attacker, and while the vulnerabilities are in Java SE, attacks may significantly impact additional products.

Successful attacks can result in:

• unauthorized read, update, insert or delete access to some of Java SE accessible data
• unauthorized creation, deletion or modification access to critical data or all Java SE accessible data
• unauthorized ability to cause a partial denial of service (DOS) of Java SE
• unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data
• takeover of Java SE, Java SE Embedded

Some vulnerabilities can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. They can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. Other vulnerabilities apply to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Component: Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
Sub-Component(s): WLS Security (Apache OpenJPA), WL Diagnostics Framework (Apache Log4j), Sample apps (jackson-databind), WLS Core Components
Patch Number: 27453773
 
Vulnerability Details: 
This Critical Patch contains three fixes for Oracle WebLogic Server version 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3. These vulnerabilities are easy to exploit, allowing unauthenticated attackers with network access via HTTP or T3 to:

• compromise Oracle WebLogic Server and perform a takeover of Oracle WebLogic Server 

This Critical Patch also contains a fix for Oracle WebLogic Server version 12.2.1.3. This vulnerability is easy to exploit, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server and: 

• gain unauthorized update, insert or delete access to some Oracle WebLogic Server accessible data
• gain unauthorized read access to a subset of Oracle WebLogic Server accessible data
• gain unauthorized ability to cause a partial denial of service (DOS) of Oracle WebLogic Server

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

From November 27 to December 1, the city of Las Vegas was a hub for Identity and Cloud discussions - from the Gartner IAM Summit to the AWS (Amazon Web Services) re:Invent Cloud Conference. With an ever changing industry landscape, it can be difficult to keep up; however, the AWS conference brought a multitude of new ideas to the table and did not disappoint.

Members of the Hub City Media team attended re:Invent, including CTO and founder Steve Giovannetti. “This is the future of how systems are going to get developed. We’re going to start seeing more people going to the cloud, more interesting uses of the cloud and serverless technologies like AWS Lambda. This is the next step in the cloud evolution.” 

Thousands attended the conference, bustling back and forth between Key Notes and Tech Talks. One talk that stood out to our team was “Automating DDoS Response in the Cloud,” focusing on how to automate security infrastructure. Large-scale cyber security attacks are becoming more and more frequent - staying a step ahead of hackers is crucial to keeping our data safe. We were able to see what innovations AWS is making in the cloud, including using an Amazon Dash Button to run scans or ask Alexa if they’d been hacked. Looks like she does more than report weather!  

Giovannetti also participated in the annual AWS Hackathon, along with about 400 others. Teams worked on completing a series of challenges over the span of eight hours - many providing difficult hurdles to overcome. The challenges spanned from requiring forensic analysis to taking a broken environment, repairing and then hardening it. Through this, the audience was able to see the extensive security features and services offered by AWS. 

One of the most interesting aspects of the conference was seeing how AWS’s biggest clients, like Netflix and Capital One, are leveraging the platform. The major common thread between these types of clients is the use of automation as the key to managing large environments. Many clients were using AWS Lambda to implement Open Source frameworks to a surprising scale, as well as building functions to enforce security policy. 

AWS went through a laundry list of new announcements for their technology, including AWS support for Kubernetes and Amazon GuardDuty Intelligent Threat Detection System. One of our many takeaways from this conference is that, with the incredible amount of talks, meetings and key notes to attend, attendees really need to focus on one track and stick to it in order to walk away with the most value. This conference is an eye opener for anyone in the field, from potential developers to CTOs - even if you don’t use AWS, the conference still provides copious amounts of new and important information. 

Hub City Media’s Security Engineer, Eli Krantz, was very satisfied with his learning experience and enjoyed the “TED-talk-like” atmosphere. “Anyone who is uncertain about moving to the cloud will change their mind after attending this conference. I went in liking the cloud, but for the skeptics out there, this is a great one to attend. It really gets you thinking about how to handle and audit security in the future. I left with a much stronger understanding of AWS security practices, and I’m excited to use this in the field.” 

See you next year! 

For a closer look at what went on at the conference this year, check out the AWS youtube channel. 
 

Attending ForgeRock's Identity Live In Austin This Year?

We'd Love To See You There! We'll Be Showcasing Our Governance,  Reporting and Delegated Admin Products. 

Where: ACL Live at The Moody Theater - 310 Willie Nelson Blvd. Austin, Texas 78701

When: Tuesday, May 2 - Wednesday, May 3 

Looking forward to seeing you there!

Are you looking to deploy to the cloud? Hub City Media products combined with Oracle IDCS can help. 

• HCM IDCS Webgate - Save money and time by managing on-premise Access Management Systems from the cloud
• HCM IDCS MFA for DB - Ensure secure VPN and database access with Two-factor Authentication and avoid detrimental breaches
• HCM IDCS Provisioning - Eliminate the need for local provisioning 
• HCM cloudMFA™ - Out-of-the-box Authy integration for Oracle Access Manager
• AutoInstaller - One-click, full Oracle product installations in less than one-hour 

Find the solution that's right for you. Contact us today to preview these products at this year's OOW! 

Hub City Media (HCM) and Oracle hosted a Lunch & Learn event in Atlanta on April 7, 2016, providing industry leaders with the opportunity to discuss Enterprise User Security (EUS). The discussion focused around simplifying user management and avoiding common security risks. 

As enterprises keep up with data proliferation, database tasks such as provisioning, resetting passwords, assigning roles and managing privileges become a greater challenge. We established this forum to help businesses understand how to consolidate / manage user credentials and privileges using Directory services while strengthening security and compliance. 

HCM presented various case studies around EUS, showcasing our ability to assist customers with database issues by implementing EUS, and were well-received by the audience. Two examples are detailed below.  

National Insurance Company

Business Problem
-Manage database access by individuals with AD credentials
-Include multiple AD domains across operational groups in multiple data centers
-Retain user identity in database account name

Technical Solution
-Enterprise User Security
-OUD with replication across data centers
-OUD proxy links to 3 AD domains
-Dedicated Schema account mappings

National Healthcare Management

Business Problem
-Healthcare breaches in the news
-Risk focus on individual user database access: authentication and authorization
-Risk assessment showed poor password management and orphan    account management

Technical Solution
-Enterprise User Security
-OUD with replication across data centers
-OUD proxy to Active Directory
-Mix of Shared and Dedicated Schema account mappings
-Enterprise roles provisioned via group membership

Demonstration on Oracle Enterprise User Security. Presented by Hub City Media, Inc.

Even if you’re already using Oracle Data Redaction, Database Firewall, Virtual Private Database and / or Fine Grained Auditing, EUS can also significantly improve the quality and enforcement of your policies. This feature can simplify account provisioning across ALL Oracle databases and can be fully managed through an Active Directory.

If you'd like to learn more about EUS or any of our Database Security or IAM offerings, we'd be happy to help! Contact us for more information. 

Hub City Media is a software integrator specializing in sophisticated Identity and Access Management solutions, custom software development and integrations. We provide fully customizable Professional Services and 24 / 7 / 365 Managed Support tailored to the specific needs of each organization. 

New findings indicate that in the next 6 years there will be a 75% increase in the user access shaped by a mobile architecture (Gartner, 2014). With such prominent trends already making their mark on today’s businesses, the Federal Bureau of Investigation’s cyber security division is teaming up with Oracle Corporation and Hub City Media to inform companies of the impeding need for developing new security strategies, the potential risk and oversight, and the preventative measures to successfully protect user data and improve productivity.

Gartner, Forrester Research, and technical experts worldwide are reporting exploding statistics about mobile trends, stating that by 2020, 80% of user access will be shaped by mobile and non-PC architectures, leaving companies who jump on the band wagon even more vulnerable for attack. (Gartner, 2014)

In a time where security slip ups lead to international PR nightmares, information security is of the utmost importance to a company’s success, and the development of a productive and secure mobile security strategy should be at the forefront of their 5-year plan.

With the help of the Federal Bureau of Investigation, Oracle Corporation and Hub City Media have begun to build out security networking communities in major cities across the country. Each city marks a new cyber security executive round table; an exclusive networking opportunity for 10-20 local security executives to discuss their biggest security challenges and best practices with their peers and with industry experts from the FBI and Hub City Media.

The mobile security campaign began on the west coast, where FBI special agents spoke to a room filled with Chief Information Officers, Directors of Information Security, and Directors of Applications, about the noted cyber threats in Palo Alto, CA, and Seattle WA.  The success of the first two events lead to two additional round tables, in New York and Denver, CO. 

A variety of challenges were discussed during the event, from protecting customer data and maintaining PCI compliance, to BYOD and its consequences. Mobile security guru Steve Giovannetti helped facilitate the following mobile security discussion, providing statistics from Forrester Research; “Currently, 50% of US & European enterprises are implementing official BYOD programs.” This statistic will only grow as employee demand rises and mobile workforces increase.

Hub City Media plans to continue the networking with follow up meetings and virtual user group discussions via private LinkedIn groups. If you are interested in participating in a cyber security user group, feel free to contact us as we are continuously expanding our reach. 

Oracle / Hub City Media’s 3rd FBI Cyber Security Executive Round Table at the Four Seasons in New York

The New York Cyber Security Executive Round Table took place Tuesday, August 19th, providing 11 New York City security executives with the opportunity to discuss security vulnerabilities with FBI special agent in charge of the cyber security division, and nine industry experts from Oracle and Hub City Media.

Executives from the financial, media, telecommunications, and manufacturing industries attended the networking luncheon, enjoying a three course meal at the Four Seasons in Manhattan. Special Agent in Charge of the New York FBI Cyber Security division kicked off the event with an impressive security presentation, providing insider secrets into the motives and processes of today’s harmful hackers and explaining real-world examples of their attacks.

A variety of challenges were discussed during the event, from protecting customer data and maintaining PCI compliance, to BYOD and its consequences. Mobile security expert Steve Giovannetti helped facilitate the preceding mobile security discussion, providing statistics from Forrester Research; “Currently, 50% of US & European enterprises are implementing official BYOD programs.” This statistic will only grow as employee demand rises and mobile workforces increase. 

Post event surveys indicated that the customers highly valued both the opportunity to network with their peers, and the presentations provided by our industry experts.  Through the success of this first event, we are building a security user group for the New York security community, enabling these executives to continue networking via a private Linkedin group, as well as a future meet up events to come.

Oracle Press Release Commends Hub City Media for Customer Enablement

A press release was published today by Oracle's Identity Management team, titled "Oracle Identity Management Achieves Significant Customer and Partner Adoption." Discussing customer trends towards developing a "unified approach to enterprise wide identity management," Hub City Media was stated as a key partner, enabling customers with "consistent access controls" and an "optimized user experience across the extended enterprise." 

Three members of the Hub City Media technical team attended the 2014 WWDC conference in San Francisco, CA. Joining our CTO and founder, Steve Giovannetti, were two advanced architects who explored Apple’s latest offerings around iOS 8 and OS X 10.10 Yosemite.

After participating in exclusive keynotes and receiving inside knowledge of Apple's new advancements, they had the opportunity to improve upon Hub City Media's successful mobile application, Identity Cert.

Identity Cert is a mobile identity certification solution that integrates with Oracle's Identity Governance suite to provide it's capabilities through a user-friendly, mobile application. Using Identity Cert, company managers can view a simplified identity dashboard, complete identity certifications on the go, and resolve identity policy violations in real time.

While at WWDC, the Hub City Media team attended sessions designed to modernize this app, improve the aesthetics, and further integrate it with Apple's latest operating system. Take a look - a free demo is available on itunes.