Trust Center

Oracle has released the Critical Patch Advisory for April 2024. It is suggested that users of these products review the vulnerabilities, prioritizing the application of updates to critical, publicly exposed systems without extensive mitigating controls and those with a higher risk factor. Data Intensity support staff is in the process of reviewing the impact of these vulnerabilities to supported customers and will be communicating to customers to setup patch windows based on the customers agreed upon patching cadence. Additional guidance and analysis will be posted here as made available.

Oracle Critical Patch Update Advisory - April 2024
Oracle April 2024 CPU Blog Post

Data Intensity has identified a typo within its 2023 Q3 Enterprise SOC1 Report covering from April 1, 2023 through September 30, 2023. The report previously distributed has the incorrect period dates within the report. If you have previously received a copy of the incorrect report, we request that you delete all copies of the incorrect report and request a copy of the new version.

Transition from SOC1 Type 2 to SOC2 Type 2
Please note that Data Intensity has not posted this report on this portal as we are transitioning away from providing SOC1 reports for all customers and instead rely on our SOC2, however it has been provided to some clients to support the transition.

If you are in need of an updated report or have questions on the transition from the SOC1 to the SOC2, please reach out to zzcompliance@dataintensity.com or your Customer Success Manager.

Fortinet has issued a critical 9.8 vulnerability impacting systems running newer versions of FortiOS. This Out-of-bound Write in sslvpnd vulnerability was reported on February 8, 2024 by FortiNET and was quickly added to the CISA exploited vulnerability list. Please refer to the link below for impacted version, mitigation and upgrade details.

Data Intensity was impacted by this vulnerability and the impacted devices were patched on February 8th and 9th.

https://www.fortiguard.com/psirt/FG-IR-24-015
https://securityaffairs.com/158955/hacking/cisa-fortinet-fortios-bug-known-exploited-vulnerabilities-catalog.html
https://www.cisa.gov/news-events/alerts/2024/02/09/cisa-adds-one-known-exploited-vulnerability-catalog

Oracle has released the following announcement concerning authentication changes to the My Oracle Support Portal. Please contact Oracle Support prior to March 1, 2024 with any issues.

Oracle will implement incremental changes to My Oracle Support, potentially impacting your login experience. The first change is planned for March 1, 2024. When you click “Login to My Oracle Support” at https://support.oracle.com, you will see a brief redirect to https://login-ext.identity.oraclecloud.com before you enter your login credentials. Besides this momentary redirect, your login experience will remain the same as today.

Action Required:
Please log into Oracle Communities platform, which has already introduced this change, to preview the changes and test your ability to log in successfully. If you can log in successfully, no further action is required. If you cannot log into Communities, you have a firewall or other security policies preventing you from accessing specific URLs. Please add the following URLs to the approved list in your firewall or work with your IT, Security, or Networking team to add the following URLs to the approved list:

• https://login-ext.identity.oraclecloud.com
• https://signon.oracle.com

Data Intensity has been monitoring the impact of the Terrapin vulnerability which was released in December 2023 with a base score of 5.9. To prevent the attack, both the client and the server need to be patched with the latest version of their SSH software. Data Intensity has update SSH connectivity client software where updates have been made available, so connections to updated servers are secured. Data Intensity will continue to work with customers on required server patching based on their agreed upon patching cadence.

The Terrapin vulnerability is a flaw in the SSH protocol that allows a man-in-the-middle attacker to tamper with the handshake phase of an SSH connection and downgrade its security features. The attacker can do this by truncating some messages exchanged between the client and the server, without breaking the connection. This can lead to the use of weaker signature algorithms, the bypass of keystroke timing obfuscation, and the loss of integrity protection for the SSH session. The vulnerability affects many SSH implementations that support either the ChaCha20-Poly1305 cipher or the CBC with Encrypt-then-MAC mode. Additional information can be found below:

Terrapin - NIST National Vulnerability Database
SSH protocol flaw – Terrapin Attack CVE-2023-48795: All you need to know

Data Intensity is now certified by ISME for the UK Cyber Essentials. Cyber Essentials is an effective, Government backed scheme that will help you to protect organizations, whatever their size, against a whole range of the most common cyber-attacks. Cyber essentials is required for UK government contracts which involve handling sensitive and personal information or the provision of certain technical products and services.

Data Intensity Cyber Essentials Certificate
Cyber Essentials Overview

Data Intensity has received it's Enterprise 2023 SOC2 Type II Report covering internal operations and services infrastructure. The period for this report is December 1, 2022 - November 30, 2023. This report now includes additional details and custom controls specifically targeting the security of the Data Intensity standard connectivity infrastructure. A bridge letter is also available as of today's date and new bridge letters will be uploaded on the first business day of each month. Follow the link below to retrieve the latest SOC 2 report. Please note, this does require registration and approval.

Data Intensity Enterprise SOC2 for 2023

Oracle has released the Critical Patch Advisory for January 2024. It is suggested that users of these products review the vulnerabilities, prioritizing the application of updates to critical, publicly exposed systems without extensive mitigating controls and those with a higher risk factor. Data Intensity support staff is in the process of reviewing the impact of these vulnerabilities to supported customers and will be communicating to customers to setup patch windows based on the customers agreed upon patching cadence. Additional guidance and analysis will be posted here as made available.

Oracle Critical Patch Update for January 2024 Oracle Security Fixing Policies

As part of service upgrades to provide new features and capabilities within Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM), Oracle is merging the capabilities of Oracle Identity Cloud Service (IDCS) into the native OCI IAM service over the next several months. All features and services will continue to work as expected and there is no expectation of service interruptions or degradation. The most significant security impact will be the ability for OCI IAM Administrators to administer access in a way similar to IDCS administrators have in the past. Please review and ensure that appropriate individuals have that level of access prior to the change.

Additional details can be found here: Introducing OCI IAM Identity Domains: What customers need to know