As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle BI Publisher 11.1.1.9.0

Subcomponent(s): Mobile Service, Layout Templates

 Patch Number: 31525202

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.

Oracle BI Publisher 12.2.1.3.0

 Subcomponent(s): Mobile Service, Layout Templates, BI Publisher Security

Patch Number: 31525202, 31178889

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.

Oracle Solaris

Subcomponent(s): Kernel, Operating System Image, Packaging Scripts,libsuri, Device Driver Utility,

 Patch Number: 11.4.23.69.3

 Vulnerability Details:

• Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

• Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Solaris.

• Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle ZFS Storage Appliance Kit.

• Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

Successful attacks can result in:

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• Unauthorized read access to a subset of Oracle Solaris accessible data

• Takeover of Oracle ZFS Storage Appliance Kit

• Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data

• Takeover of Oracle Solaris

Oracle Unified Directory 11.1.2.3.0

Subcomponent(s): Security

 Patch Number: 31541461

 Vulnerability Details: Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle Unified Directory. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Unified Directory, attacks may significantly impact additional products.

 Successful attacks can result in:

• Unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Unified Directory

WebLogic Server 10.3.6

Subcomponent(s): Security Service, Core, Console, Log4j, Web Container, Web Services

 Patch Number: Patchset: 31178492,  ADR Patch: 31241365

 Vulnerability Details: Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP,  or T3 to compromise Oracle WebLogic Server.  Some attacks require human interaction and this variety of attack may significantly impact other products despite the vulnerability being in WebLogic Server.  Attackers exploiting these vulnerabilities have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of WebLogic Server

• Unauthorized creation, deletion or modification access to all Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

WebLogic Server 12.2.1.3

Subcomponent(s): Centralized Thirdparty Jars (jackson-databind), Security Service, Core, Centralized Thirdparty Jars (Log4j), Console (Log4j), Web Container, Sample apps, Web Services

 Patch Number: Patchset: 31535411, ADR Patch: 31544340

 Vulnerability Details: Easily exploitable vulnerabilities that  allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP, T3 to compromise Oracle WebLogic Server. Attackers exploiting these vulnerabilities can cause the system to have confidentiality, integrity and availability impacts.  Attacks exist that require human interaction however for these attacks despite the vulnerability being in WebLogic Server the attack could significantly impact other available products.  Difficult to exploit vulnerabilities that require human interaction which allows an unauthenticated attacker via HTTP to compromise WebLogic Server.  Vulnerabilities of this type also have confidentiality, integrity, and availability impacts. 

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server

• Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data

• Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

Java SE 7 

Subcomponent(s): Libraries, 2D, JAXP, JSSE

 Patch Number: 13079846

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Attacks of these varieties have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of Java SE, Java SE Embedded

• Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data

• Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS)

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

Java SE 8

 Subcomponent(s): Libraries, 2D, JAXP, JSSE

 Patch Number: 18143322

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Attacks of these varieties have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of Java SE, Java SE Embedded

• Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data

• Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS)

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

Onfido, the global identity verification and authentication provider, today announced a partnership with Hub City Media, an Identity and Access Management (IAM) consultancy and ForgeRock’s 2020 America’s Partner of the Year. An expert in technology integrations for IAM customers, Hub City Media will resell and distribute Onfido’s identity verification and authentication services integrated with a number of their existing identity solutions including ForgeRock’s modern identity platform.

Hub City Media offers advisory and implementation services alongside managed cloud and support services across the globe for a wide range of industries. With over 20 years of IAM experience, Hub City Media’s extensive and growing expertise in the industry continues to make them a leading partner for many access management platforms from leaders such as ForgeRock, Oracle and CyberArk.

Onfido’s award-winning Identity Verification service enables document first onboarding, binding a physical human with their digital credentials with just a picture of a government ID and a selfie with 98.7% of fraud detected. To achieve this, Onfido uses the best combination of human analysts and machine learning to check for data consistency across the ID, performing image analysis, and detecting anomalies in fonts. 

By integrating Onfido’s technology, CIAM customers can reduce abandonment rates caused by complex registration forms and create trust with their customers as soon as they are onboarded, providing a more personalized and consistent experience across all their business units.  For high-risk transactions or ongoing authentication (for example, money transfers or password resets), a self-service step-up verification / authentication is available that requests a customer selfie which is then matched against the document used to register.

“As a trusted provider of IAM solutions for a number of the largest companies in the world, we only partner with companies offering the most robust and scalable solutions and Onfido fits that bill,” said Phillippe Monrougie, CEO of Hub City Media. “Its identity verification solution is second to none providing the best user experiences, fraud detection and simplest integrations we’ve seen, making Onfido an easy proposition for our clients.”

“Having the right technology partners that know our identity solution and the value it brings to IAM architectures is critical for our continued expansion into the enterprise market,” said Husayn Kassai, CEO and Cofounder at Onfido. “Hub City Media is one of those partners that immediately understood the value of our solution and with our existing ForgeRock integration, made them a natural fit.”

Onfido covers over 4,500 ID document types across 195 countries, detecting anomalies automatically, while using human experts to verify outliers.

About Onfido

Onfido is the new standard for digital access. The company uses AI to verify any photo ID and then compares it with the person’s facial biometrics. This use of AI means that businesses no longer need to compromise on customer experience, conversion, privacy or security.

 Recognized as a global leader in artificial intelligence for identity verification and authentication, Onfido is backed by TPG Growth, Crane Venture Partners, Salesforce Ventures, M12 - Microsoft’s venture fund, and others. With approximately 400 employees spread across seven countries, Onfido has raised $200m in funding and powers digital access for some of the world’s largest companies.

www.onfido.com

www.linkedin.com/company/onfido/

www.twitter.com/onfido

About Hub City Media

Founded in 1999 and headquartered in South Plainfield, New Jersey, Hub City Media is a software integrator specializing in sophisticated Identity and Access Management cloud and on-premise solutions, Managed Support Services and custom software development and integrations. Hub City Media provides fully customizable Professional Services and 24 / 7 / 365 Managed Support Services tailored to the specific needs of each organization, with the ability to partner with clients in every global location and time zone.

Steve Giovannetti (CTO and Founder of Hub City Media) presented:

Four Use Cases for Modern Identity Governance

July 15th 12:00pm - 1:00pm EDT

Identity and Access Management (IAM) practitioners and vendors have spent countless hours creating applications that automate what has typically been driven using spreadsheets and email. While they certainly have had success improving the lives of system administrators and compliance teams, have they really made it easier for managers and certification professionals?

This session reviewed the journey many organizations have made from manual processes to full automation. He’ll define the real benefits and suggest advanced process improvements that reduce certification workload for all users within the enterprise.

For a replay of the presentation or more information, contact us.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle Solaris 11

Subcomponent(s): SMB Server Kernel Module, Operating System Image, jQuery, Oracle WebLogic Server, SMF command svcbundle, Whodo, Common Desktop Environment

 Patch Number: 31009799

 Vulnerability Details: Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Sun ZFS Storage Appliance Kit executes to compromise Sun ZFS Storage Appliance Kit. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise StorageTek Tape Analytics SW Tool. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in StorageTek Tape Analytics SW Tool, attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of Oracle Solaris, Sun ZFS Storage Appliance Kit, StorageTek Tape Analytics SW Tool

• Unauthorized update, insert or delete access to some of StorageTek Tape Analytics SW Tool accessible data as well as unauthorized read access to a subset of StorageTek Tape Analytics SW Tool accessible data

• Unauthorized read, update, insert or delete access to some of Oracle Solaris accessible data

WebLogic Server

Subcomponent(s): Console, Core, WLS Web Services, Management Services,

 Patch Number: 30857748

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server.  Easily exploitable vulnerability allows high privileged attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server.  Unauthenticated attackers with network access via HTTP can compromise Oracle WebLogic Server with human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities can result in system confidentiality, integrity and availability impacts and have the following detrimental effects.

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server.

• Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

Java SE

Subcomponent(s): Libraries, JSSE, Concurrency, Lightweight HTTP Server, Security, Serialization

 Patch Number: 13079846

 Vulnerability Details: Vulnerabilities of varying difficulties allowing unauthorized and highly privileged attackers via multiple network protocols, T3, and HTTPS, to compromise Java SE and Java SE Embedded.  Vulnerability is in Java SE and Java SE embedded however attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have a variety of detrimental effects.

 Successful attacks can result in:

●       Takeover of Java SE, Java SE Embedded.

●       Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.

●       Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

●       Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Oracle HTTP Server

Subcomponent(s): Web Listener

 Patch Number: 31047338

 Vulnerability Details: Easily exploitable vulnerabilities allows unauthenticated attackers with network access via HTTP to compromise Oracle HTTP Server. Attacks can require human interaction from a person other than the attacker, or occur with a solo unauthenticated attacker. Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have the following detrimental effects.

 Successful attacks can result in:

●       Takeover of Oracle HTTP Server

●       Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data

●       unauthorized read access to a subset of Oracle HTTP Server accessible data.

Oracle Access Manager

Subcomponent(s): Federation, Authentication Engine, SSO Engine

Patch Number: 30609442

Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Access Manager. Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks of both types require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities confidentiality, integrity, and availability impacts and the following detrimental effects. 

 Successful attacks can result in:

●       Unauthorized update, insert or delete access to some of Oracle Access Manager accessible data

●       Unauthorized read access to a subset of Oracle Access Manager accessible data

●       Unauthorized ability to create partial Denial of Service

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

Hub City Media partnered with ForgeRock on a variety of webinar events in April and May of 2020, all focused on various pieces of Identity and Access Management.

Running Identity and Access Management (IAM) Using Docker and Kubernetes

A Technical Look into Deploying and Operating Containerized IAM

Time is of the essence when it comes to developing and deploying capabilities that support remote work and online business. One of the best ways to speed time to market and increase efficiency is through an IAM solution that supports a DevOps model utilizing containerization and orchestration technologies such as Docker and Kubernetes.

ForgeRock Engineering Director, Warren Strange and Hub City Media CTO and Founder, Steve Giovannetti, give a deep technical look at the architecture behind a containerized IAM solution and what your team needs for a successful deployment. They cover:

• Architecture and processes guiding containerized IAM on public cloud solutions (AWS, GCP, Microsoft Azure)

• Improving your DevOps workflow using Kustomize / Skaffold

• Lessons learned and a look into successful customer environments

• Demonstration: ForgeOps and deploying the ForgeRock platform into the cloud
  
  

Plus, get a sneak peak at an upcoming ForgeRock 7.0 feature around scaling Directory Services in the cloud!

WEBINAR SERIES: The Evolution and Modernization of Identity Governance

Despite high risk, effort and resource time, many organizations are still trying to address their audit and governance requirements using manual processes and spreadsheets. Others are using complex and costly platforms when a simpler, more cost-effective solution is available.

Join ForgeRock and Hub City Media for a two-part webinar series to learn exactly how much a modern governance platform can help.

PART 1: The Value of Modern Identity Governance

Increase Security, Productivity and Cost Savings with the Right Solution

This webinar is targeted for executives and IAM leaders to who want answers to critical questions like:

• Why is it necessary to transition from manual to automated processes?

• What features do you really need from a governance solution?

• How do you modernize and implement processes that maintain compliance and reduce workload?

PART 2: Dissecting the Modern Identity Governance Journey - Live Demo

A Capabilities Deep Dive into Advanced Governance Use Cases

This webinar is targeted for IAM leaders and practitioners who want to see a live demo of governance solution demonstrate:

• Dynamic access reviews based on changes like M&A, reorganization or a simple transfer of an employee from one manager to another

• Exceptional user experience during ad-hoc access requests

• Triggering certifications based on quantitative analysis

• Automated entitlement discovery and certification

• Certification of access policies in Access Management system

Hub City Media Recognized as ForgeRock's Americas Partner of the Year!

Hub City Media, thought-leaders in the Identity and Access Management (IAM) space, was honored with the ForgeRock Americas Partner of the Year award for 2020. 

Hub City Media offers advisory and implementation services alongside managed cloud and support services across the globe for a wide range of industries. With over 20 years of IAM experience, Hub City Media’s extensive and ever growing expertise in the industry continues to make them a leading partner for ForgeRock’s modern Identity platform.

"We are very excited to recognize Hub City Media as our Partner of the Year,” said Mark Francetic, Vice President - Alliances and Channels Sales at ForgeRock. “They are a go-to Partner for our customers and our sales teams nationally, and very much deserve this award.”

With a staff fully committed to ForgeRock Identity and Access Management (IAM) technology, Hub City Media provides valuable insight and recommendations resulting in their client’s success and increased return on investment.

 “Partnering with ForgeRock in 2015 was an easy decision, and since then, the partnership has exceeded every expectation,” said Philippe Monrougie, CEO of Hub City Media. “Every single person at our organization has played an integral role in making this award possible - our people are our most valuable differentiator.”

 For more information about Hub City Media, please visit www.hubcitymedia.com or contact marketing@hubcitymedia.com

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle Identity Manager (OIM)

Product: Oracle Identity Management

 Subcomponent(s): Advanced Console

 Patch Number: 30338509 

 Vulnerability Details:  Supported versions affected are 11.1.2.3.0 and 12.2.1.3.0. An easily exploitable vulnerability allows a low privileged attacker with network access via HTTP to compromise Identity Manager.

 Successful attacks can result in:

• Unauthorized update, insert or delete access to some of Identity Manager’s accessible data

• Unauthorized read access to a subset of Identity Manager accessible data

WebLogic Server

Product: Oracle Weblogic Server

 Subcomponent(s): WLS Core Components, Application Container - Java EE, Console

 Patch Number: 30463097 - Estimated Availability January 31, 2020

 Vulnerability Details: Easily exploitable vulnerabilities that allow an unauthenticated attacker with network access via IIOP or T3 to compromise Oracle WebLogic Server. Easily exploitable vulnerabilities that allow a high privileged attacker with network access via HTTP or a logon to the infrastructure where Weblogic Server executes to compromise Oracle WebLogic Server.  Some vulnerabilities require human interaction, and while these the vulnerability is in Oracle Weblogic Server attacks might significantly impact additional products.

 Successful attacks can result in:

• Takeover of Weblogic Server

• Unauthorized access to critical data or complete access to all accessible data

• Unauthorized update, insert, or delete access to Weblogic accessible data

• Unauthorized read access to subset of Weblogic accessible data

• Unauthorized ability to cause partial denial of service

Java SE

Product: Java SE

 Subcomponent(s): Serialization, Security, Networking, Libraries

 Patch Number: 13079846

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.

Successful attacks can result in:

• Attacker takeover of Java SE

• Unauthorized complete manipulation of Java accessible data, including access, write, delete, and modify

• Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE

• Unauthenticated attacker with network access via Kerberos to compromise Java SE

Oracle HTTP Server

Product: Oracle Fusion Middleware

 Subcomponent(s): OSSL Module, Web Listener

 Patch Number: 30654519

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP Server and allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

 Successful attacks can result in:

•  Partial DOS of the HTTP Server

• Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data as well as unauthorized read access to a subset of Oracle HTTP Server accessible data

Oracle Solaris

Product: Oracle Solaris 11

 Subcomponent(s): Consolidation Infrastructure,Filesystem,Kernel,X Window System,SMB Server

 Patch Number: 30681152, 30681156

 Vulnerability Details: Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMB to compromise Oracle Solaris

 Successful attacks can result in:

• Takeover of Oracle Solaris

• Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris.

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris

BI Publisher

Product: Oracle Business Intelligence Enterprise Edition

 Subcomponent(s): Analytics Server and Analytics Web General (OpenSSL)

 Patch Number: 30677050

 Vulnerability Details: 

Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Business Intelligence Enterprise Edition.

Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

In this webinar, we dive into IAM Modernization with KuppingerCole and ForgeRock, and why it’s a necessity for organizations.

Application and infrastructure architectures are continuously changing in order to mirror the demands and challenges of modern organizational needs. A common problem with legacy systems is the inability to adapt to new business models in an ever-changing world.

Matthias Reinwarth (KuppingerCole), Lani Leuthvilay (ForgeRock) and Steve Giovanetti (Hub City Media) discuss:

• The services offered in a modern IAM platform, from modern authentication, authorization and promotion, to audit, governance and compliance

• The scalability and flexibility required to manage billions of identities on a unified architecture

• The access of all identities (internal as well as external and personalized as well as technical) to potentially all connected systems and infrastructures on premises, in hybrid or multi-cloud environments

• Transparent and cost-efficient structuring and migration to a true next generation IAM architecture

We’re thrilled to announce that we’ve opened an office in Rossville, IL!

Stay tuned for more updates and the latest on on Rossville office!

Patient and Member Journeys Matter!

Building Superior Experiences in Connected Health, IoT and Data Sharing

Today, it is essential for healthcare organizations to provide users:

• Access to consolidated medical records

• Control over health data-sharing

• The ability to leverage valuable IoT device data

• The ability to manage care coverage transitions

Your patients and members expect active and personalized involvement in their own health outcomes using a variety of digital channels. To offer them the best possible health data protection, you need to support state-of-the-art Identity and Access Management (IAM) technologies and techniques.

In this webinar, you will learn about:

• Health IoT and data-sharing best practices

• Connected-health user journeys

• Standards for patient-centric health data-sharing

• How to modernize IAM to avoid healthcare security missteps

Watch the replay!

ABOUT THE SPEAKERS:

Eve Maler is a renowned strategist, innovator and communicator on digital identity, access, security and privacy, with particular focus on creating successful wide-scale ecosystems and fostering individual empowerment. Eve drives Identity Relationship Management innovation for the ForgeRock Identity Platform; she also directs ForgeRock’s involvement in related industry standards, particularly for access control and privacy, to which end she leads the User-Managed Access (UMA) standards effort.

Steve Giovannetti is the CTO and Founder of Hub City Media, an Identity and Access Management consultancy specializing in IAM implementations, product development and support services. Giovannetti has been working in Identity since 1999 with a heavy focus on containerized solutions and running IAM in the cloud. For more information, visitwww.hubcitymedia.com.

Hub City Media has teamed with CyberArk, the global leader in the Privileged Access Security, to deliver innovative cybersecurity solutions to reduce risk across an expanding attack surface.

 As the Privileged Access Security pioneer, CyberArk enables Hub City Media to deliver a complete Identity and Access Management (IAM) portfolio to improve compliance and reduce risk. With CyberArk, Hub City Media is now a one-stop shop for comprehensive IAM solutions.

 We are proud to join the CyberArk Partner Network!

Database Authentication was the focus of July’s Office hours at Oracle. Hub City Media's Jud Williford discussed different types of authentication, contrasted benefits and implementation requirements, and talked through a demo of our Multi-factor Authentication product for Oracle.

Check out the replay!

Jud Williford leads the Database Security practice at Hub City Media. He previously worked for 30 years at Fedex as a DBA and IT Architect, ultimately responsible for database security processes and annual attestations before external auditors.

As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

AM Web Agents

Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0

Subcomponent(s): Web Agent

Issue Number(s): 201902-01, 201902-03, 201902-04

Vulnerability Details:

These vulnerabilities allow:  

• AM Web Agents to be started with misconfigured notifications, which will give revoked sessions the ability to access protected resources

• AM Web Agent heap memory to be extracted by a local attacker, exposing sensitive information

• Mishandled String operations to potentially crash the AM Web Agent

These vulnerabilities are resolved in AM Web Agent version 5.6.1.0

AM Java Agents

Product: AM Web Agent, versions 5, 5.0.x, 5.1.x, 5.5.x, 5.6.0

Subcomponent(s): Java Agent, jackson-databind 2.x

Issue Number(s): 201902-02

Vulnerability Details:

These vulnerabilities allow:  

• A remote user to access local files through an issue with Polymorphic Typing in FasterXML jackson-databind 2.x before 2.9.9

These vulnerabilities are resolved in AM Java Agent version 5.6.1.0

AM/OpenAM

Product: AM versions 6.5.0-6.5.0.1, 6.0.0-6.0.0.6, 5.0.0-5.5.1

OpenAM versions 

Subcomponent(s): AM/OpenAM Core Server

Issue Number(s): 201901-01, 201901-02, 201901-03, 201901-04, 201901-05, 201901-06, 201901-07, 201901-08

Vulnerability Details:

These vulnerabilities allow:  

• A man-in-the-middle attack to be performed on AM/OpenAM Core Server through certain configurations of OAuth2 clients

• Policies to be created for unentitled resources through a bug in access control

• Takeover of AM/OpenAM Core Server through a cross-site scripting attack 

• Server certificates to be incorrectly configured due to TLS hostname verification being disabled by default on some services

• Authentication to be bypassed in certain SAML session upgrade scenarios

• An attacker to redirect an end user to a site they control through Agent based CDSSO not correctly validating redirect URLs

• Memory account lockout to fail to work

• Redirect URLs to be unvalidated through improper error handling by OAuth2

These vulnerabilities are resolved in versions 6.5.0.2 or 6.0.0.7 depending on your current version of AM/OpenAM.

ForgeRock and Hub City Media co-host a two-part webinar series on IAM Modernization

Part 1: Migrating to a Modern IAM Platform - Long-term Value and Risks

Legacy IAM vs. Modern IAM - Should you stay or should you go? 

• Capabilities comparison

• Keeping pace with current market demands

• Preview of what a modern IAM deployment looks like 

• Short-term and long-term benefits of modernizing IAM 

• Potential roadblocks to consider and how to overcome them 

Watch Part 1

Part 2: Moving off of a Legacy System - How to migrate successfully

Learn how to make migrating IAM systems seamless, and the best strategies to consider for deployment. 

• Parallel Deployments vs. Coexistence vs. Rip-and-Replace: Which method makes sense for your organization? What are the pros and cons of each? 

• How to migrate efficiently, successfully and securely 

• Why migrating a wide variety of applications can be a roadblock, and how to overcome it

• Use Case Spotlight - Successful client journeys

Watch Part 2

Learn the true value of modernizing your IAM platform, and ensure your system is future proof with this series!

Hub City Media will be hosting a demo booth during Identity Live in Nashville, and is inviting all attendees to stop by to check out live demos of Governance 2.5. New features include an Enhanced User Interface, and Entitlement Glossary and OIDC integration.

As a proud ForgeRock partner, we're excited to have the opportunity to showcase the Governance product we've built directly on top of the ForgeRock Identity Platform. It's important we show Summit-goers how Governance can help their business with compliance needs, as well as the appropriate access and roles of their employees and customers. Most importantly, it can be deployed in the cloud with ForgeRock, and it’s very easy to install and run. 

We hope to see you there!

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE

Product: Oracle Java SE

Component(s): RMI, Libraries, 2D

Patch Number: 13079846

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.

Successful attacks can result in:

• Attacker takeover of Java SE

• Ability to cause hangs or complete crashes of Java SE

• Unauthorized complete manipulation of Java accessible data, including access, write, delete and modify.

Solaris

Product: Oracle Solaris

Component(s): IPS Package Manager, SunSSH, File Locking Services

Patch Number: 11.3.36.10.0

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols (including logon access) to compromise Oracle Solaris.

Successful attacks can result in:

• Unauthorized read access to Solaris file systems

• Partial Denial of Service (DoS)

• Unauthorized complete manipulation of Solaris accessible data, including access, write, delete and modify

SOA

Product: Oracle SOA Suite

Component(s): Fabric Layer

Patch Number: 29625018

Vulnerability Details:

This patch update corrects vulnerabilities that allow unauthorized read access to a subset of Oracle SOA as well as grant an unauthenticated attacker with network access, via HTTP, the ability to compromise Oracle SOA.

Successful attacks can result in:

• Unauthorized Read access to Oracle SOA data

• Unauthenticated Attacker can compromise Oracle SOA

Weblogic

Product: Oracle Weblogic Server

Component(s): WLS Core Components, EJB Container, WLS Core Components

Patch Number: 27820719

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through HTTP and T3 to compromise Oracle Weblogic Server.

Successful attacks can result in:

• A takeover of Oracle WebLogic Server

BI Publisher (formerly XML Publisher)

Product: BI Publisher, version 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0

Subcomponent(s): BI Publisher Security

Patch Number: 29492717 

Vulnerability Details:

Easily exploitable vulnerability allows unauthenticated, high or low attacker with network access via HTTP to compromise BI Publisher. This vulnerability may impact additional products.

Successful Attacks can result in:

• Unauthorized access to critical data or complete access to all BI Publisher accessible data

• Unauthorized access to critical data or complete access to all BI Publisher accessible data

• Unauthorized update, insert or delete access to some of BI Publisher accessible data.

• Unauthorized read access to a subset of BI Publisher accessible data

Oracle HTTP Server (OHS)

Product: Oracle HTTP Server, version 12.2.1.3.0

Subcomponent(s): Web Listener (curl)

Patch Number: 29407043

Vulnerability Details:

The supported version affected is 12.2.1.3.0. An easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

Successful attacks can result in:

• Takeover of Oracle HTTP Server

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

As part of Hub City Media’s ongoing efforts to ensure ForgeRock IAM environments remain secure, we are advising that ForgeRock has released a security advisory update for Directory Services. 

To maintain the best possible security posture, please review this patch with your team.

For assistance with applying this patch, contact us. 

ForgeRock Directory Services 5.5.2

Component: Core Server

Security Advisory #201803: ForgeRock has discovered a Medium-level security vulnerability in ForgeRock Directory Services (DS) 5.0.0, 5.5.0, 5.5.1, 6.0.0 and in OpenDJ 3.0.0, 3.5.0, 3.5.1, 3.5.2, 3.5.3. The vulnerability also affects embedded DS / OpenDJ in AM 5.x, AM 6.0 and OpenAM 13.x as well as IDM 6.0.

Release Notes for 5.5.2: ForgeRock maintenance releases provide fixes to existing bugs that improve functionality, security and performance for your DS deployment. No new features have been introduced. The release can be deployed as an initial deployment or used to upgrade from an existing version.

Vulnerability Details: The password policy response control is returned incorrectly when an account is locked and a bind operation for the account includes the correct password. As a result, it is possible to brute force a locked account’s password even after it has been locked due to too many authentication failures.

Resolution: Update / upgrade to DS 5.5.2 or deploy the relevant patch bundle.

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE

Component: Oracle Java SE 7

Sub-Component(s): Hotspot, JDNI, JSSE, Sound, Deployment(libpng), Security, Networking

Patch Number: 13079846

Vulnerability Details:

This Critical Patch Update contains 12 new security fixes for Oracle Java SE. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some vulnerabilities are easily exploitable, and most allow an unauthenticated attacker with network access, via multiple protocols, the ability to compromise Java. Some vulnerabilities require human interaction from a person other than the attacker and while the vulnerabilities are in Java SE, attacks may significantly impact additional products.

Successful attacks can result in:

• Partial Denial of Service of Java SE

• Unauthorized update, insert or delete access to some of Java SE

• Takeover of Java SE

WebLogic Server

Component: Oracle WebLogic Server (version 10.3.6.0)

Sub-Component: WLS Core, sample apps (Spring Framework), WLS Web Services, Console

Patch Number: 28343311

Vulnerability Details:

Easily exploitable vulnerabilities allow an unauthenticated attacker with network access via HTTP or T3 to compromise Oracle WebLogic Server. Successful exploitation of these vulnerabilities can result in takeover of Oracle WebLogic Server.

Oracle HTTP Server

Component: Oracle HTTP Server (version 12.2.1.3)

Sub-Component: Web Listener (curl)

Patch Number:  28281599

Vulnerability Details:

This difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle HTTP Server.

Oracle Identity Manager

Component: Oracle Identity Manager (versions 11.1.2.3.0 and 12.2.3.1.0)

Sub-Component: Installer (jackson-databind)

Patch Number: 28768324

Vulnerability Details:

This critical patch contains an important fix to a recently discovered vulnerability in Oracle Identity Manager. The vulnerability allows an attacker with HTTP access to the network to compromise OIM. Attacks can allow unauthorized read-access to a subset of Oracle Identity Manager accessible data, as well as the ability to cause partial denial of service of Oracle Identity Manager.

BI Publisher

Component: BI Publisher (versions 11.1.1.7.0, 11.1.1.9.0)

Sub-Component: BI Publisher Security (Apache Log4j)

Patch Number: 28632415 and 28632479 respectively

Vulnerability Details:

This critical patch contains a fix to an exploitable vulnerability. This issue allows an attacker to compromise Oracle Business Intelligence Publisher though the network via HTTP access. A successful attack would result in the takeover of Oracle Business Intelligence Publisher.

JRockit

Component: JRockit (version R28.3)

Sub-Components: Scripting, JNDI, JSEE, Sound

Patch Number: 28414796

Vulnerability Details: JNDI

This critical patch contains a fix to difficult to exploit vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Jrockit. Some attacks require human interaction from a person other than the attacker. Attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of JRockit

• Partial denial of service to JRockit

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.

Hub City Media attended Oracle OpenWorld in San Francisco in October, and had valuable discussions about Cloud, Database Security and Identity.

We’d be happy to meet to recap the conference and discuss how we can ensure success for your Oracle IAM environment.

Looking forward to next year!

That’s a wrap on our three part series on Containerized IAM! Watch the replay of # 3 below:



AUDIENCES EXPERIENCED: 

• Lessons learned from running the ForgeRock Platform in the cloud

• Benefits and challenges of choosing containerized IAM in the cloud

• How Kubernetes impacts operations

• CI/CD pipeline: How this changes configuration, ongoing development, patching and upgrades

• Plus: We’ll take you beyond AWS and discuss alternative approaches to containerized deployment.

Speakers Wajih Ahmed, Senior Director of Global Advanced Customer Engineering at ForgeRock and Steve Giovannetti, CTO & Founder of Hub City Media delved into how you can deploy using this model.