Security
We care about security. If you have any questions, or encounter any issues, please contact us at security@netgain-systems.com. If you believe you’ve discovered a bug in NetGain Systems product(s) security, please get in touch at security@netgain-systems.com and we will get back to you within 24 hours, and usually earlier. We request that you not publicly disclose the issue until we have had a chance to address it.
Below is a list of new vulnerabilities (include OSs and libraries) addressed in latest product release (v11.1.300)
- CVE-1999-0517- SNMP Agent Default Community Name (public)
- CVE-2008-5161 - SSH Server CBC Mode Ciphers Enabled
- CVE-2012-5081 - TLS ROBOT Vulnerability Detected (JAVA)
- CVE-2014-3566 - POODLE: SSLv3
- CVE-2015-4000 - SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
- CVE-2016-2183 - Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
- CVE-2020-11022 - JQuery 1.2 < 3.5.0 Multiple XSS
- CVE-2020-11023 - JQuery 1.2 < 3.5.0 Multiple XSS
- CVE-2020-13943 - Apache Tomcat HTTP/2 Request mix-up
- CVE-2020-14750 - Oracle WebLogic Server
- CVE-2020-17527 - Apache Tomcat HTTP/2 Request header mix-up
- CVE-2020-17530 - Apache Struts 2 allow an attacker to perform remote code execution on a vulnerable system
- CVE-2020-1971 - OpenSSL exploits to cause a Denial of Service condition
- CVE-2020-26217 - XStream Remote Code Execution Vulnerability
- CWE-16 OWASP-A6 - Cookie Without HTTPOnly Flag set
- CWE-200 CWE-213 OWASP-A6 - Web server & Framework Version Identification
- CWE-284 - Insecure Flash Cross Domain Policy
- CWE-308 OWASP-A2 - Use of Single-factor Authentication
- CWE-326 CWE-327 CWE-210 OWASP-A3 - Inadequate Transport Layer Protection
- CWE-326 CWE-327 CWE-310 OWASP-A3 - Use of Broken or Risky Cryptographic Algorithms
- CWE-384 - Mulitiple Login Sessions
- CWE-523 CWE-693 OWASP-A6 - HTTP String Transport Security Not Enforced
- CWE-525 OWASP-A6 - Lack of Client-Side Cache control
- CWE-525 - Sensitive Field Forms Autocomplete
- CWE-613 OWASP-A7 - Weak Idle Timeout
- CWE-645 OWASP-A2 - Overly Restrictive Lockout Mechanism
- CWE-693 CWE016 OWASP-A6 - X-XSS-Protection Header not implemented
- CWE-693 - Framable response
- Nessus Plugin ID 12085 - Apache Tomcat Default Files
- Nessus Plugin ID 51192 - SSL Certificate Cannot Be Trusted
- Nessus Plugin ID 57582 - SSL Self-Signed Certificate
- Nessus Plugin ID 76474 - SNMP ‘GETBULK’ Reflection DDoS
- OWASP-A3 - Client-initiated Renegotiation Supported
- OWASP-A9 - Outdated Components with known Vulnerabilities