Novell Home

My Favorites

Close

Please to see your favorites.

NISCC vulnerability advisory on SSL (secure sockets layer) and TLS (transport layer security) protocols.

(Last modified: 03Aug2004)

This document (10087450) is provided subject to the disclaimer at the end of this document.

goal

NISCC vulnerability advisory on SSL (secure sockets layer) and TLS (transport layer security) protocols.

fact

OpenSSL security vulnerabilities described in CERT® Advisories CAN-2003-0543 (VU#255484), CAN-2003-0544 (VU#380864), VU#686224, and VU#732952.

fix

Novell has reviewed our application portfolio to identify products affected by the vulnerabilities reported by the NISCC. We have made the necessary changes to our products that use OpenSSL code.  Customers are urged to monitor our web site for patches to versions of our products that they use and apply them expeditiously.

Consolidated product update information:

Security Update 5:  http://support.novell.com/filefinder .  Search for secupd*.  The latest file as of 8/3/2004 is secupd5.tgz.
This file contains fixes in NILE, NTLS, PKI, and LDAPSDK.  These products have been delivered through many Novell products.  Listed below is general information about who needs to apply the patch and the procedure to apply it. 

note

Security Update 5 was posted 8/3/2004 replacing Security Update 4 (secupd4.tgz). 

Security Update 5 contains additional bug fixes to some of the same files contained in the previous Security Update patches, although none of the fixes in this patch relate to security vulnerabilities.  Security Update 4 was the last patch that contained security vulnerability issues, but the only changes between Security Update 1 and Security Update 4 were installation script issues, not actual updates to the files being installed.


For more information about what was addressed in the install scripts, see the solution titled, eDirectory upgrade fails.

fix

For more detailed information, please review the readme associated with this patch.

All versions of eDirectory prior to 8.7.3 on all platforms are affected by the SSL/TLS ASN.1 decoder vulnerabilities. Novell has provided an update for eDirectory 8.7.1 for all platforms that corrects the current issues.
 
To secure your environment, the following path is recommended:

-Unix Customers running the following versions of eDirectory
 -- eDirectory 8.0    - Upgrade to eDirectory 8.7.1 and then apply the Security Update 5 patch
 -- eDirectory 8.5    - Upgrade to eDirectory 8.7.1 and then apply the Security Update 5 patch
 -- eDirectory 8.6.2  - Upgrade to eDirectory 8.7.1 and then apply the Security Update 5 patch
 -- eDirectory 8.7.x  - Apply the Security Update 5 patch

-Windows Customers running the following versions of eDirectory
 -- eDirectory 8.0    - Upgrade to eDirectory 8.7.1 and then apply the Security Update 5 patch
 -- eDirectory 8.5    - Upgrade to eDirectory 8.7.1 and then apply the Security Update 5 patch
 -- eDirectory 8.6.2  - Apply the Security Update 5 patch
 -- eDirectory 8.7.x  - Apply the Security Update 5 patch

-Netware Customers running the following versions of eDirectory
 -- eDirectory 8.x (NDS 8)    - Install the Security Update 5 patch
 -- eDirectory 8.5                 - Upgrade to eDirectory 8.7.1 and then apply the Security Update 5 patch
 -- eDirectory 8.6.2              - Install the Security Update 5 patch
 -- eDirectory 8.7.0              - Upgrade to eDirectory 8.7.1 and then apply the Security Update 5 patch
 -- eDirectory 8.7.x              - Install the Security Update 5 patch

Versions of eDirectory prior to 8.7.3 that offer SSL/TLS may be vulnerable until they are upgraded. Customers using eDirectory 8.7.1 or older should consider taking other steps to reduce the likelihood of attack. Preventative measures may include, disabling SSL/TLS on public interfaces (those accessible by the general public), limiting the use of SSL/TLS to trusted machines (trading partners, network administrators, etc.) or from known addresses (using some packet filtering technique to protect the vulnerable server from hostile attack), etc.

For more information about the above listed advisories, visit http://www.cert.org.

NOTE:  There are more reported OpenSSL vulnerabilities at http://www.cert.org than are specifically addressed in the Security Update 4 patch.  Novell has examined all current reports and have found that only the vulnerabilities listed above currently affect shipping Novell products.  The current Novell products (as of 5/23/2004) use OpenSSL version 0.9.6k.  This patch addresses any problems with previous versions of OpenSSL.  As Novell moves forward, releasing new products that consume OpenSSL, due diligence is put forth to ensure that the versions of OpenSSL that is used has remedied all known OpenSSL vulnerabilities.

iChain 2.2:  As of 11/15/03, apply ic22sp2.exe.


Novell International Cryptograpic Infostructure (NICI) 2.6.1 or greater:
  http://www.novell.com/download.  Choose search by "Product" and select "Novell International Cryptographic Infostructure".  Select the correct NICI for your platform.
These products have been delivered through many Novell products.  Review the readme associated with this patch to verify whether or not it is necessary for your environment.

NetMail 3.10f:  As of 10/21/03 see http://support.novell.com/filefinder/14629/index.html  for the appropriate operating system build.

GroupWise 6 SP4: As of 11/12/03 see http://support.novell.com/filefinder/12886/index.html filename FGW64n7.exe or newer.

Groupwise 6.5 SP2: As 0f 11/12/03 see http://support.novell.com/filefinder/16963/index.html filename FGW652n3.exe or newer.

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10087450
  • Solution ID: NOVL92875
  • Creation Date: 01Oct2003
  • Modified Date: 03Aug2004
    • NovellConnectivity Products

      Groupware

      NetWare

Did this document solve your problem? Provide Feedback