Home / Security

Security

We care about security. If you have any questions, or encounter any issues, please contact us at security@netgain-systems.com. If you believe you’ve discovered a bug in NetGain Systems product(s) security, please get in touch at security@netgain-systems.com and we will get back to you within 24 hours, and usually earlier. We request that you not publicly disclose the issue until we have had a chance to address it.

Security Fixes

Below is a list of new vulnerabilities (include OSs and libraries) addressed in latest product release (v11.1.300)

  • CVE-1999-0517- SNMP Agent Default Community Name (public)
  • CVE-2008-5161 - SSH Server CBC Mode Ciphers Enabled
  • CVE-2012-5081 - TLS ROBOT Vulnerability Detected (JAVA)
  • CVE-2014-3566 - POODLE: SSLv3
  • CVE-2015-4000 - SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)
  • CVE-2016-2183 - Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
  • CVE-2020-11022 - JQuery 1.2 < 3.5.0 Multiple XSS
  • CVE-2020-11023 - JQuery 1.2 < 3.5.0 Multiple XSS
  • CVE-2020-13943 - Apache Tomcat HTTP/2 Request mix-up
  • CVE-2020-14750 - Oracle WebLogic Server
  • CVE-2020-17527 - Apache Tomcat HTTP/2 Request header mix-up
  • CVE-2020-17530 - Apache Struts 2 allow an attacker to perform remote code execution on a vulnerable system
  • CVE-2020-1971 - OpenSSL exploits to cause a Denial of Service condition
  • CVE-2020-26217 - XStream Remote Code Execution Vulnerability
  • CWE-16 OWASP-A6 - Cookie Without HTTPOnly Flag set
  • CWE-200 CWE-213 OWASP-A6 - Web server & Framework Version Identification
  • CWE-284 - Insecure Flash Cross Domain Policy
  • CWE-308 OWASP-A2 - Use of Single-factor Authentication
  • CWE-326 CWE-327 CWE-210 OWASP-A3 - Inadequate Transport Layer Protection
  • CWE-326 CWE-327 CWE-310 OWASP-A3 - Use of Broken or Risky Cryptographic Algorithms
  • CWE-384 - Mulitiple Login Sessions
  • CWE-523 CWE-693 OWASP-A6 - HTTP String Transport Security Not Enforced
  • CWE-525 OWASP-A6 - Lack of Client-Side Cache control
  • CWE-525 - Sensitive Field Forms Autocomplete
  • CWE-613 OWASP-A7 - Weak Idle Timeout
  • CWE-645 OWASP-A2 - Overly Restrictive Lockout Mechanism
  • CWE-693 CWE016 OWASP-A6 - X-XSS-Protection Header not implemented
  • CWE-693 - Framable response
  • Nessus Plugin ID 12085 - Apache Tomcat Default Files
  • Nessus Plugin ID 51192 - SSL Certificate Cannot Be Trusted
  • Nessus Plugin ID 57582 - SSL Self-Signed Certificate
  • Nessus Plugin ID 76474 - SNMP ‘GETBULK’ Reflection DDoS
  • OWASP-A3 - Client-initiated Renegotiation Supported
  • OWASP-A9 - Outdated Components with known Vulnerabilities