This article applies to BoKS 7.0.0

Description

The OpenSSL Security Advisory published on 3 Dec 2015 (https://www.openssl.org/news/secadv_20151203.txt) lists a number of vulnerabilities in the OpenSSL toolkit used in BoKS Manager. Of the five vulnerabilities mentioned in the Security Advisory, one is regarded as serious and in need of hotfixing: CVE-2015-3194 "Certificate verify crash with missing PSS parameter".

This vulnerability can be exploited to perform denial-of-service attacks on BoKS SSL/TLS servers that use client certificates to authenticate connecting clients. The following BoKS 7.0 SSL/TLS server applications are affected. The M/R after the application path indicates whether the application is running on Master and/or Replica respectively.

$BOKS_lib/boks_bccasd (M) - Administration server
$BOKS_lib/boks_blogsd (M) - Log server
$BOKS_lib/boks_ftsd (M/R) - File transfer server
$BOKS_lib/boks_ksllogsd (M/R) - Remote keystroke log server

Resolution / Workaround

Apply hotfix HFBM-0096, available for download from the HelpSystems Community Portal.

This hotfix upgrades the OpenSSL shared library used by the above SSL/TLS server applications to version 1.0.2e, where the vulnerability has been fixed.

See also

The corresponding Advisory Notice: Advisory: CVE-2015-3194 Certificate verify crash with missing PSS parameter.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018