Gemalto is now part of the Thales Group, find out more.
연락처

Security Updates

How to Report a Security Vulnerability

Gray line

Protect Server PSI-E2/PSE2 Vulnerabilities

Update 10 June 2019

Gemalto has a long-standing relationship with Ledger and is supplying hardware security modules (HSM) for Ledger Vault deployments, Ledger’s offering to secure digital asset operations. In 2018 Ledger made Gemalto aware of security issues restricted to the Gemalto ProtectServer HSMs running firmware versions from 3.20.00 to 3.20.10 and ProtectServer-2 HSMs running firmware between 5.00.02 and 5.03.00 (excluding 5.01.03). Immediate action was taken by Gemalto to resolve these issues and to contact our customers with remediation action. Full details of the patch were published to our security updates portal in November 2018.

All other HSM products, including SafeNet Luna, SafeNet Data Protection On Demand and payShield, are not impacted in any way by the issues presented in Ledger’s research. We take any security claim very seriously and are grateful to Ledger for notifying us of these issues and working with us to resolution. We value the contribution of researchers and security professionals in our efforts towards continuous improvement of the security of our products.

Customers are advised to take action as described at KB0018211 to mitigate the risk.

Update 13 March 2019

The Gemalto Enterprise and Cybersecurity Team has investigated recently reported vulnerabilities in the Protect Server PSI-E/PSE products (end of sale December 2014). These vulnerabilities may impact the integrity and availability of the product if exploited. Customers are advised to take action as described at KB0018211 to mitigate the risk.

For further questions or concerns, please contact Gemalto technical support at https://supportportal.gemalto.com/.

09 November 2018

The Gemalto Enterprise and Cybersecurity Team has investigated recently reported vulnerabilities in the Protect Server PSI-E2/PSE2 products. These vulnerabilities may impact the integrity and availability of the product if exploited. Customers are advised to take action as described at KB0018211 to mitigate the risk.

For further questions or concerns, please contact Gemalto technical support at https://supportportal.gemalto.com/.

Gray line  

Vulnerability in Sentinel SuperPro, Sentinel Hardware Keys and Sentinel UltraPro Products

05 June 2019

The library "REVERB1.dll" is being loaded without specifying the system directory in the LoadLibrary call. This uncontrolled search path element could enable an attacker to load and execute a malicious DLL file. Sensitive components, protected using Sentinel CodeCover for Sentinel SuperPro, Sentinel CodeCover for Sentinel Hardware Keys (SHK), and Sentinel Shell for Sentinel UltraPro may be at risk of this vulnerability if there are no additional protection layers in place by the software vendor.

Customers who use these products are advised review the security bulletin: KB0019084 and take recommended action as applicable. There are no known exploits of this vulnerability.

Gray line  

Sentinel LDK Vulnerabilities

02 May 2019

Thales/Gemalto Product Security Team has investigated recently reported vulnerabilities in Sentinel LDK product. There are no known exploits of these vulnerabilities. Further information on the vulnerability is available at the following security bulletin link: KB0018794.

For further questions or concerns, please contact customer support at https://supportportal.gemalto.com/

Gray line  

Sentinel UltraPro Vulnerability

Update 12 March 2019

Please note the following corrections in bold:

Customers who have integrated Sentinel UltraPro Client Library ux32w.dll version (v1.3.0- v1.3.2) are advised to upgrade to the latest Sentinel UltraPro Client Library ux32w.dll version (v1.3.3). Further information on the vulnerability is available at the following security bulletin link: KB0018410.

09 January 2019

Customers who have Sentinel UltraPro version (v1.3.0-1.3.2) are advised to update to the latest Sentinel UltraPro version (v1.3.3). Further information on the vulnerability is available at the following security bulletin link: KB0018410.

Gray line  

Meltdown & Spectre Vulnerabilities

Update 1 June 2018

The Gemalto Security Team has investigated recently published vulnerabilities CVE-2018-3639/3640. Our investigation has concluded that for this category of vulnerability to be exploitable, an attacker would have to be able to execute an arbitrary (i.e. malicious) code within the appliance environment. Gemalto/SafeNet appliance products are not impacted as arbitrary code cannot be executed to exploit either of these vulnerability variants. Notwithstanding, customers should ensure that the operating systems and hypervisors of the host machines are patched where applicable.

Update 19 January 2018

The Gemalto Enterprise and Cybersecurity Security Team is continuing to investigate the impact of these vulnerabilities to our products and services, revising as more information is available. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Updated information may be found at: KB0017000.

Please continue to check this website where additional information will be posted as it becomes available.

Update 12 January 2018

The Gemalto Enterprise and Cybersecurity Security Team is continuing to investigate the impact of these vulnerabilities to our products and services, revising as more information is available. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Updated information may be found at: KB0017005

Please continue to check this website where additional information will be posted as it becomes available.

Update 09 January 2018

The Gemalto Enterprise and Cybersecurity Security Team has investigated the impact of these vulnerabilities to our products and services. In general, if products/services employ a potentially vulnerable processor, security measures are in place to prevent exploitation of the vulnerabilities. Further information is available at KB0017000.

Please continue to check this website where additional information will be posted as it becomes available.

04 January 2018

It has recently been announced that three vulnerabilities affected by two exploits known as Meltdown and Spectre are affecting modern processors. These vulnerabilities could allow unauthorized access to sensitive data as documented in CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754.

Gemalto takes this issue very seriously and is investigating the impact of these vulnerabilities on our products and solutions. Gemalto CERT is also closely monitoring updated information related to patch availability. In parallel, we are coordinating a regular follow-up with our cloud service providers. We have set up a dedicated team of security experts to work on the situation and we will continue to monitor any developments.

Customers who have questions about these vulnerabilities should get in touch with their usual Gemalto Customer Support contact. Please continue to check this website where additional information will be posted as it becomes available.

Gray line  

Sentinel LDK Vulnerabilities

Update 12 April 2018

Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10-66) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v7.80). Further information is available at the following security bulletin link: KB0017405.

Update 9 March 2018

Customers who have Sentinel LDK (RTE) Run-time Environment version (v2.10-63) are advised to update their Sentinel LDK RTE to the latest Sentinel LDK RTE component (v7.65). This update can be found on the Sentinel Downloads site.

25 January 2018

In September 2017, Gemalto/SafeNet published notice advising Sentinel customers of vulnerabilities associated with the use of Sentinel LDK EMS server and License Manager services. These vulnerabilities may impact the confidentiality and integrity of the services if exploited.

This notice is to remind customers using these services to follow the mitigation guidelines outlined in the security bulletin at the following link: KB0016365.

Gemalto would like to acknowledge Kaspersky for responsible disclosure of these vulnerabilities.

Gray line  

SAML-Based Security Vulnerabilities

5 March 2018

Gemalto Security Teams have investigated a new vulnerability class (CVE-2017-11427) that affects SAML-based single sign-on (SSO) systems reported by Duo Labs. This vulnerability, under certain conditions, could allow an attacker with authenticated access to a SAML Identity Provider (IdP) to impersonate a different user. Information on the vulnerabilities may be found at https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations.

Our analysis has determined that SafeNet Authentication Service (SAS); SafeNet Trusted Access (STA); and Data Protection as a Service (DPaaS) are NOT impacted by this vulnerability. Customers should validate that their SAML service providers are not impacted as well.

Gray line  

Sentinel LDK Vulnerabilities

6 September 2017

Gemalto/SafeNet has identified vulnerabilities with the use of Sentinel LDK EMS server and License Manager services that may impact the confidentiality and integrity of the services if exploited. Customers using these services are advised to follow the mitigation guidelines outlined in security bulletins at the following links:

* We acknowledge Positive Technologies https://www.ptsecurity.com for responsible disclosure of these vulnerabilities.

Please contact customer support if you have difficulties with these links or have further questions or concerns.

 

Gray line  

Sentinel LDK License Manager Vulnerabilities

16 June 2017

Recent research reports identified vulnerabilities in Sentinel LDK License Manager services. The confidentiality and integrity of the files on the target system may be compromised if the vulnerability is exploited. Customers using this product are advised to contact customer support and/or follow the mitigation guidelines outlined in security bulletins at the following links:

 

 

Gray line  

Product specific advisories, software patches, or new software downloads for affected Gemalto Software Monetization products will be available in the Gemalto Customer Portal. Please continue to check regularly for updates or subscribe to specific product news feeds.

요청 정보

 

당사의 제품에 관심을 보여주셔서 감사합니다. 해당 항목들을 기재해주시면 Gemalto 에 대한 상세 자료나 Gemalto 전문가가 연락드리겠습니다.

 

개인 정보

* 이메일 주소:  
* 이름:  
* 성:  
* 회사:  
* 전화:  
* 국가:  
* State (US Only):  
* Province (Canada/Australia Only):  
* 시:  
내용:  
 

우리의 개인정보 보호 준칙에 기술되는 있는 바와 같이 다운로드를 클릭함은 젬알토로부터 이메일 수신을 동의한 것으로 인정됩니다.