Summary

BoKS Desktop: Impact and remediation for the OpenSSL vulnerabilities listed in this advisory

Issue Description

The OpenSSL Security Advisory published on 05 Jun 2014
(https://www.openssl.org/news/secadv_20140605.txt) lists a number of
vulnerabilities in the OpenSSL toolkit used in BoKS Desktop.
Of the seven vulnerabilities mentioned in the Security Advisory,
the following three affect BoKS Desktop:

  • CVE-2014-0224 - SSL/TLS MITM vulnerability
  • CVE-2014-3470 - Anonymous ECDH denial of service
  • CVE-2014-0076 - Recovering OpenSSL ECDSA Nonces Using ?the FLUSH+RELOAD Cache Side-channel Attack

Resolution / Workaround

These vulnerabilites can be remediated by applying the hotfixes listed below, per product version. All hotfixes can be downloaded from the Fox Technologies Customer Support website.

For BoKS Desktop 6.6:
dt66x64hotfix14case140609-014914.msi upgrades the OpenSSL version in BoKS Desktop 6.6 used in SSL/TLS communication to version 10.0m.

For BoKS Desktop 6.6 Biometric:

dt66x86BIOHotfix7case140609-014914.msi upgrades the OpenSSL version in BoKS Desktop 6.6 Biometric used in SSL/TLS communication to version 10.0m.

For BoKS Desktop 6.5.1:

dt651hotfix12case140609-014914.msi upgrades the OpenSSL version in BoKS Desktop 6.5.1 used in SSL/TLS communication to version 0.9.8za.

For BoKS Desktop 6.5 TSE:

dt65TSEHotFix7case140609-014914.msi upgrades the OpenSSL version in BoKS Desktop 6.5 TSE used in SSL/TLS communication to version 0.9.8za.

For corresponding Advisory Notes for BoKS Manager see Article KBA140701-001065.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018