This article applies to BoKS Manager 6.7.0 and 6.7.1.

Description

  1. The OpenSSL Security Advisory published on 3 Dec 2015 (https://www.openssl.org/news/secadv_20151203.txt) lists a number of vulnerabilities in the OpenSSL toolkit used in BoKS Manager. Of the five vulnerabilities mentioned in the Security Advisory, one is regarded as serious and in need of hotfixing: CVE-2015-3194 "Certificate verify crash with missing PSS parameter". The BoKS administration server, boks_bccasd, uses client certificates to authenticate connecting clients and this vulnerability can be used to perform a denial-of-service attack.
  1. The BoKS web GUI, FCC, uses a boks_bccasd function to determine which operations the user might be allowed to execute. In some cases, when queried about reading any object where the rule specifies that only some objects may be read (for instance those where the name matches a certain pattern), it would return a false negative. This would cause FCC to hide or disable functions which should be visible and enabled. Note that this is a usability issue, not a security issue. If the user is allowed to attempt an operation, the real ABAC check at execution time will be correctly evaluated.

Resolution / Workaround

Apply hotfix HFBM-0094, available for download from the HelpSystems Community Portal.

This hotfix includes an updated boks_bccasd that uses OpenSSL version 1.0.1q and includes corrected ABAC code, where the problems have been fixed.
This also includes two new operators for the "match" expressions in ABAC rules which improves the expressive power of the syntax: "in~" and "in?", which allows pattern matching in lists. (Analogous to "=~" and "=?").


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018