This article applies to BoKS 6.7. For information regarding BoKS 7.0, see Hotfix: Alternative chains certificate forgery, BoKS 7.0 (HFBM-0076).

The problem described in this article was introduced in the version of OpenSSL used in HFBM-0072 (fix for CVE-2015-1788).

The hotfix referred to here (HFBM-0075) supersedes HFBM-0072. You do not need to uninstall HFBM-0072 before installing HFBM-0075 as it will replace all affected binaries.


Problem

The OpenSSL Security Advisory published on 11 Jun 2015 (https://www.openssl.org/news/secadv_20150611.txt) lists a number of vulnerabilities in the OpenSSL toolkit used in BoKS Manager.
Of the seven vulnerabilities mentioned in the Security Advisory, only one affects BoKS Manager and BoKS Server Agent for Unix/Linux.

CVE-2015-1788 - Malformed ECParameters causes infinite loop

On 9 Jul 2015, another OpenSSL Security Advisory (CVE-2015-1793) was published (http://openssl.org/news/secadv_20150709.txt). This vulnerability was introduced into BoKS by HFBM-0072. Hotfix HFBM-0075 fixes both CVE-2015-1788 and CVE-2015-1793.

The following BoKS 6.7 SSL/TLS server applications are affected. The M/R/A after the application path indicates whether the application is running on Master, Replica and/or Server Agent respectively.


$BOKS_lib/httpsrv (M) - Old BoKS administration GUI
$BOKS_lib/boks_bccasd (M) - Administration server
$BOKS_lib/boks_sslproxy (M/R/A) - BoKS Desktop telnet proxy


Solution

Apply hotfix HFBM-0075, available for download from the HelpSystems Community Portal.

With this hotfix BoKS SSL/TLS applications are upgraded to use OpenSSL version 1.0.1p, where the vulnerabilities listed in the security advisories have been fixed.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018