A number of security vulnerabilities have been found in the widely adopted OpenSSL library and a corresponding security advisory was released on 07 December 2017 (see www.openssl.org/news/secadv/20171207.txt).
In addition, an old attack approach has been found to still be valid on some servers and has been used to obtain the private key of servers owned by PayPal, Facebook and others (see robotattack.org).
comForte uses a deep port of OpenSSL in a number of products and this article discusses the impact of the various vulnerabilities to the various comForte products. The comForte products affected are:
- Securlib/SSL, Securlib/SSL-AT
- HPE products HPE NonStop cF SSL Library, HPE NonStop cF SSL-AT Library
One of the OpenSSL vulnerabilities published has the potential to cause a security issue in customer software that uses the library products identified above.
The following two vulnerabilities have been identified by OpenSSL.
|CVE #||CVE Description||comforte risk assesment|
|CVE-2017-3737||Read/write after SSL object in error state||COMFORTE MEDIUM RISK|
|CVE-2017-3738||rsaz_1024_mul_avx2 overflow bug on x86_64||COMFORTE NOT AFFECTED|
The ROBOT attack covers numerous vulnerabilities in multiple products (refer to https://robotattack.org), but releases of OpenSSL that are used in building the current and recent releases of comforte and HPE products have not been identified as being vulnerable. Note that while Facebook were using OpenSSL, they had introduced their own patch to the OpenSSL code which caused the vulnerability.
Our current risk assessment is: COMFORTE NOT AFFECTED
Detailed Analysis of vulnerability CVE-2017-3737
We choose to not repeat the text of the original openssl announcement, please see the original link https://www.openssl.org/news/secadv/20171207.txt if needed.
Software which is using one of the library products identified which does not check return codes on socket operations before write activity on the socket may be vulnerable to this defect, thus transporting data in the clear as described in the vulnerability.
This will only affect software that uses the following library versions:
• HPE NonStop cF SSL Library, HPE NonStop cF SSL-AT Library versions AAV, AAW, AAX, ABA
• comForte Securlib/SSL versions 0061, 0062, 0064, 0065, 0066
• comForte Securlib/SSL-AT versions 1.12, 1.13, 1.15, 1.16, 1.17
comForte will update the affected software in the next release. Customers using an affected version of the library should check that they are checking the return code on calls to socket functions (comForte Securlib/SSL-AT and HPE NonStop cF SSL-AT) or the SSL library functions (Securlib/SSL, HPE NonStop cF SSL Library).