Due to a new problem discovered in OpenSSL (CVE-2015-1793), Hotfix HFBM-0072 has been superseded. Please see Hotfix: Alternative chains certificate forgery [BoKS 6.7] (HFBM-0075) for updated information.

This article is relevant to BoKS 6.7. For information regarding BoKS 7.0, see Hotfix: CVE-2015-1788 in BoKS 7.0 (HFBM-0073).

Problem

The OpenSSL Security Advisory published on 11 Jun 2015 (https://www.openssl.org/news/secadv_20150611.txt) lists a number of vulnerabilities in the OpenSSL toolkit used in BoKS Manager.

Of the seven vulnerabilities mentioned in the Security Advisory, only one affect BoKS Manager and BoKS Server Agent for UNIX:


CVE-2015-1788 - Malformed ECParameters causes infinite loop

The following BoKS 6.7 SSL/TLS server applications are affected. The M/R/A after the application path indicates whether the application is running on Master, Replica and/or Agent respectively.

$BOKS_lib/httpsrv (M) - Old BoKS GUI
$BOKS_lib/boks_bccasd (M) - Administration server
$BOKS_lib/boks_sslproxy (M/R/A) - BoKS Desktop telnet proxy




Solution

Apply hotfix HFBM-0072, available for download from the HelpSystems Community Portal.

With this hotfix BoKS SSL/TLS applications are upgraded to use OpenSSL version 1.0.1o, where the vulnerabilities listed in the security advisory have been fixed.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018