Due to a new problem discovered in OpenSSL (CVE-2015-1793), Hotfix HFBM-0073 has been withdrawn. Please see KB #11621 for updated information.

This article is relevant to BoKS 7.0. For information regarding BoKS 6.7, see Hotfix superseded: HFBM-0072 - CVE-2015-1788 (BoKS 6.7).

Description

The OpenSSL Security Advisory published on 11 Jun 2015 (https://www.openssl.org/news/secadv_20150611.txt) lists a number of vulnerabilities in the OpenSSL toolkit used in BoKS Manager.


Of the seven vulnerabilities mentioned in the Security Advisory, only one affect BoKS Manager and BoKS Server Agent for UNIX:


CVE-2015-1788 - Malformed ECParameters causes infinite loop

The following BoKS 7.0 SSL/TLS client and server applications are affected. The M/R/A after the application path indicates whether the application is running on Master, Replica and/or Agent respectively.


$BOKS_lib/boks_bccasd (M) - Administration server
$BOKS_lib/boks_blogrd (R) - Log relay server
$BOKS_lib/boks_blogsd (M) - Log server
$BOKS_lib/boks_ftcd (R/A) - File transfer client
$BOKS_lib/boks_ftsd (M/R) - File transfer server
$BOKS_lib/boks_ksllogsd (M/R) - Remote keystroke log server
$BOKS_lib/kslog (M/R/A) - Keystroke log client




Resolution / Workaround

Apply hotfix HFBM-0073, available for download from the HelpSystems Community Portal.

With this hotfix BoKS SSL/TLS applications are upgraded to use OpenSSL version 1.0.2c, where the vulnerabilities listed in the security advisory have been fixed.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018