Summary

BoKS Manager, BoKS Server Agent for Unix/Linux: Impact and remediation for the OpenSSL vulnerabilities listed in this advisory.

Description

The OpenSSL Security Advisory published on 05 Jun 2014
(https://www.openssl.org/news/secadv_20140605.txt) lists a number of
vulnerabilities in the OpenSSL toolkit used in BoKS Manager.
Of the seven vulnerabilities mentioned in the Security Advisory,
the following three affect BoKS Manager and BoKS Server Agent for UNIX:

  • CVE-2014-0224 - SSL/TLS MITM vulnerability
  • CVE-2014-3470 - Anonymous ECDH denial of service
  • CVE-2014-0076 - Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack


The following BoKS SSL/TLS client and server applications are affected.
The M/R/A after the application path indicates whether the application is
running on Master, Replica and/or (Server) Agent respectively.

SSL server applications
-----------------------
$BOKS_lib/httpsrv (M) - Old BoKS GUI
$BOKS_lib/boks_bccasd (M) - Administration server
$BOKS_lib/boks_autoregisterd (M) - Auto-registration service
$BOKS_lib/boks_pwmd (M) - Optional extension package
$BOKS_lib/boks_csspd (M/R) - BoKS Desktop authentication
$BOKS_lib/boks_sslproxy (M/R/A) - BoKS Desktop telnet proxy

SSL client applications
-----------------------
$BOKS_sbin/adgroup (M) - AD Bridge administration
$BOKS_lib/ldapsearch (M) - adsync, ldapusersync
$BOKS_lib/ldapmodify (M) - currently not used
$BOKS_lib/crldownload_ldap (M) - CRL download
$BOKS_lib/curl (M) - CRL download
$BOKS_lib/ems/modules/emsldap (M) - Event system LDAP connector
$BOKS_lib/ca_onestep_prg (M) - Cert request to external CA

$BOKS_lib/auth/modules/hpsaauth (M/R) - BoKS Desktop external auth
$BOKS_lib/auth/modules/ldapauth (M/R) - BoKS Desktop external auth
$BOKS_sbin/adjoin (M/R/A) - AD membership administration
$BOKS_lib/boks_safeword (M/R/A) - BoKS safeword auth
$BOKS_lib/ldapauth (M/R/A) - BoKS LDAP auth
$BOKS_lib/boks_autoregister (M/R/A) - Auto-registration

Answer

For BoKS Manager / Server Agent for Unix/Linux 6.7:
Apply the hotfix HFBM67-0047, available from the HelpSystems Community Portal.

With this hotfix BoKS SSL/TLS applications are upgraded to use OpenSSL version
1.0.0m, where the vulnerabilities listed in the security advisory have been fixed.

For BoKS Manager / Server Agent for Unix/Linux 6.6:
Apply the hotfix HFBM66-0047, available from the HelpSystems Community Portal.

With this hotfix BoKS SSL/TLS applications are upgraded to use OpenSSL version
1.0.1h, where the vulnerabilities listed in the security advisory have been fixed.

For BoKS Manager / Server Agent for Unix/Linux 6.5.x:
Apply hotfix TFS140609-014911, available from the HelpSystems Community Portal.

This hotfix upgrades the OpenSSL version in BoKS Manager 6.5 used in SSL/TLS communication to
version 0.9.8za, which is not affected by the above vulnerabilities.

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018