SECURITY VULNERABILITY BULLETIN

On September 22, 2016, the OpenSSL organization announced the following security vulnerabilities in the OpenSSL library, https://www.openssl.org/news/secadv/20160922.txt.

 

OCSP Status Request extension unbounded memory growth (CVE-2016-6304)

OpenSSL Severity: High

Impact: This is a server vulnerability and our ODBC drivers are not impacted by this.  However, OpenAccess and SequeLink are impacted.

 

SSL_peek() hang on empty record (CVE-2016-6305)

OpenSSL Severity: Moderate

Impact: This is OpenSSL 1.1.0 vulnerability and our ODBC drivers are not impacted.

 

SWEET32 Mitigation (CVE-2016-2183)

OpenSSL Severity: Low

Impact: This flaw is related to the design of the DES/3DES cipher and is not an implementation flaw.

  • To avoid this vulnerability, it is advised to disable the DES/3DES and consider is bad as "RC4"
  • <Mitigation>To disable them from client, customers can use hidden connection option "CipherList".
  • If they are currently not using this option, they should add "DEFAULT:-DES:-3DES" to their DSN.
  • If they are already using this option, they can just add ":-DES:-3DES" to the existing list.

 

OOB write in MDC2_Update() (CVE-2016-6303)

OpenSSL Severity: Low

Impact: We may be impacted by this vulnerability. and there is no mitigation plan for this.

 

Malformed SHA512 ticket DoS (CVE-2016-6302)

OpenSSL Severity: Low

Impact: This is a server vulnerability and our ODBC drivers are not impacted with this.

 

OOB write in BN_bn2dec() (CVE-2016-2182)

OpenSSL Severity: Low

Impact: We may be impacted by this vulnerability. and there is no mitigation plan for this.

 

OOB read in TS_OBJ_print_bio() (CVE-2016-2180)

OpenSSL Severity: Low

Impact: This flaw exists in the RFC 3161 Public Key Infrastructure Time-Stamp Protocol implementation of OpenSSL. This protocol is used for trusted third party timestamps and *is not used with the SSL/TLS protocol*.

 

As our ODBC drivers only support SSL/TLS protocols with OpenSSL, none of our drivers are affected by this CVE.

Our JDBC drivers do not use OpenSSL and are not affected by any OpenSSL vulnerabilities.

 

Pointer arithmetic undefined behavior (CVE-2016-2177)

OpenSSL Severity: Low

Impact: We are impacted by this vulnerability. and there is no mitigation plan for this.

 

Constant time flag not preserved in DSA signing (CVE-2016-2178)

OpenSSL Severity: Low

Impact: We are impacted by this vulnerability. and there is no mitigation plan for this.

 

DTLS buffered message DoS (CVE-2016-2179)

OpenSSL Severity: Low

Impact: This is a server vulnerability and our ODBC drivers are not impacted with this.

 

DTLS replay protection DoS (CVE-2016-2181)

OpenSSL Severity: Low

Impact: This is a server vulnerability and our ODBC drivers are not impacted with this.

 

Certificate message OOB reads (CVE-2016-6306)

OpenSSL Severity: Low

Impact: We are impacted by this vulnerability. attack can only be performed against

a client or a server which enables client authentication. Disable client authentication to mitigate this vulnerability.

 

Excessive allocation of memory in tls_get_message_header() (CVE-2016-6307)

OpenSSL Severity: Low

Impact: Only impact OpenSSL 1.1.0 users, Our ODBC drivers are not impacted.

 

Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)

OpenSSL Severity: Low

Impact: Only impact OpenSSL 1.1.0 users, Our ODBC drivers are not impacted.

 

IMPACT ASSESSMENT

After reviewing the vulnerability scoring from various organizations, Progress DataDirect determined the impact of these vulnerabilities were significant enough to require updating the OpenSSL library used in all of the on-premise ODBC drivers, OpenAccess SDK, and SequeLink.  The OpenSSL library containing the fix is version 1.0.2h. 

Our goal is to update the OpenSSL library as quickly as possible, and each product may be updated at different times.  You may download the latest patches of the product to obtain the updated OpenSSL library.  The version of the OpenSSL library included in the product will be documented in the readme file and/or fixes.txt file.  If you need to confirm your Progress DataDirect product contains the latest OpenSSL library, please contact technical support.