This article applies to BoKS Manager 6.7.0, 6.7.1 and 7.0.0.

Description

OpenSSL Security Advisory of 2016-09-22 lists multiple vulnerabilities in the OpenSSL library used for encryption of network communication in BoKS Manager.

Two of the vulnerabilities have severity Medium or higher and hotfixing is recommended:

  • CVE-2016-6304 OCSP Status Request extension unbounded memory growth.
  • CVE-2016-2183 SWEET32 Mitigation.

For details see advisory notes 12752 and 12759 in the FoxT customer support portal.

Resolution / Workaround

To resolve these issues, apply hotfix HFBM-0153 (BoKS 6.7) or HFBM-0154 (BoKS 7.0), available for download from the HelpSystems Community Portal.

This hotfix upgrades the OpenSSL library used in BoKS SSL/TLS servers to version 1.0.2j where CVE-2016-6304 and CVE-2016-2183 have been fixed.


This hotfix also fixes two less severe issues:

  • CVE-2016-2177 Pointer arithmetic undefined behaviour
  • CVE-2016-6306 Certificate message OOB reads


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018