This article is relevant to BoKS 7.0. For information regarding BoKS 6.7, see Hotfix: Alternative chains certificate forgery [BoKS 6.7] (HFBM-0075).

The problem described in this article was introduced in the version of OpenSSL used in HFBM-0073 (fix for CVE-2015-1788).

This Hotfix supersedes HFBM-0073, you do not need to uninstall HFBM-0073 before installing this as it will replace all affected binaries.


Description

The OpenSSL Security Advisory published on 11 Jun 2015 (https://www.openssl.org/news/secadv_20150611.txt) lists a number of vulnerabilities in the OpenSSL toolkit used in BoKS Manager. Of the seven vulnerabilities mentioned in the Security Advisory, only one affect BoKS Manager and BoKS Server Agent for UNIX.

CVE-2015-1788 - Malformed ECParameters causes infinite loop.

On 9 Jul 2015, another OpenSSL Security Advisory (CVE-2015-1793) was published (http://openssl.org/news/secadv_20150709.txt). This vulnerability was introduced into BoKS by HFBM-0073. This hotfix fixes both CVE-2015-1788 and CVE-2015-1793.

The following BoKS 7.0 SSL/TLS client and server applications are affected. The M/R/A after the application path indicates whether the application is running on Master, Replica and/or Agent respectively.


$BOKS_lib/boks_bccasd (M) - Administration server
$BOKS_lib/boks_blogrd (R) - Log relay server
$BOKS_lib/boks_blogsd (M) - Log server
$BOKS_lib/boks_ftcd (R/A) - File transfer client
$BOKS_lib/boks_ftsd (M/R) - File transfer server
$BOKS_lib/boks_ksllogsd (M/R) - Remote keystroke log server
$BOKS_lib/kslog (M/R/A) - Keystroke log client




Resolution / Workaround

Apply hotfix HFBM-0076, available for download from the HelpSystems Community Portal.

With this hotfix BoKS SSL/TLS applications are upgraded to use OpenSSL version 1.0.2d, where the vulnerabilities listed in the security advisories have been fixed.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018