June 2015 OpenSSL Security Advisory

  • 7016602
  • 12-Jun-2015
  • 15-Jun-2015

Environment

Novell Filr
Novell GroupWise
Novell iPrint
Novell Messenger
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Vibe OnPrem
Novell ZENworks Configuration Management

Situation

On June 11th 2015 the OpenSSL project published a security advisory listing 5 vulnerabilities that had been found and fixed in the OpenSSL library. Patched versions of the library were made available concurrent with the announcement. For more information see: http://openssl.org/news/secadv_20150611.txt

Resolution

Resolution
The listed vulnerabilities rated low to moderate for Novell products. As such the updated version of OpenSSL will be included in the next scheduled releases of Novell products.


Additional Information

We provide the following breakdown of the vulnerabilities in the security advisory in order to help you better understand the impact on Novell products.

DHE man-in-the-middle protection (Logjam)
- Low impact. Novell products do not accept the DH_EXPORT cipher suites and are therefore already protected from Logjam. Please see https://support.microfocus.com/kb/doc.php?id=7016528

Malformed ECParameters causes infinite loop (CVE-2015-1788)
Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
- Filr, GroupWise, Messenger, Vibe: Low impact. OpenSSL is not being used for client certificate verification.
- iPrint Appliance, OES, ZENWorks: Moderate impact. In certain scenarios OpenSSL is used to perform client certificate verification and may be vulnerable. Patches will be forthcoming.

PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
CMS verify infinite loop with unknown hash function (CVE-2015-1792)
- OES: Components of eDir process PKCS7 content and may be vulnerable. Patches will be forthcoming.
- All other Novell products: Low impact. This functionality is not used.

Race condition handling NewSessionTicket (CVE-2015-1791)
- Low impact as per OpenSSL's severity rating.

Invalid free in DTLS (CVE-2014-8176)
- No impact. Applies to older versions of OpenSSL not in use by Novell products.