News

comForte and NonStop News

  • News Article

    Analysis of openssl security vulnerabilities published by openssl.org on 7th December 2017 and the ROBOT attack

    A number of security vulnerabilities have been found in the widely adopted OpenSSL library and a corresponding security advisory was released on 07 December 2017.

     

    Introduction

     

    A number of security vulnerabilities have been found in the widely adopted OpenSSL library and a corresponding security advisory was released on 07 December 2017 (see www.openssl.org/news/secadv/20171207.txt).

     

    In addition, an old attack approach has been found to still be valid on some servers and has been used to obtain the private key of servers owned by PayPal, Facebook and others (see robotattack.org).

     

    comForte uses a deep port of OpenSSL in a number of products and this article discusses the impact of the various vulnerabilities to the various comForte products. The comForte products affected are:

     

    • Securlib/SSL, Securlib/SSL-AT
    • HPE products HPE NonStop cF SSL Library, HPE NonStop cF SSL-AT Library

     

    Overview

     

    One of the OpenSSL vulnerabilities published has the potential to cause a security issue in customer software that uses the library products identified above.

    The following two vulnerabilities have been identified by OpenSSL.

     

    CVE # CVE Description comforte risk assesment
     CVE-2017-3737  Read/write after SSL object in error state  COMFORTE MEDIUM  RISK
     CVE-2017-3738  rsaz_1024_mul_avx2 overflow bug on x86_64  COMFORTE NOT AFFECTED

     

    The ROBOT attack covers numerous vulnerabilities in multiple products (refer to https://robotattack.org), but releases of OpenSSL that are used in building the current and recent releases of comforte and HPE products have not been identified as being vulnerable. Note that while Facebook were using OpenSSL, they had introduced their own patch to the OpenSSL code which caused the vulnerability.


    Our current risk assessment is: COMFORTE NOT AFFECTED

     

     

    Detailed Analysis of vulnerability CVE-2017-3737

     

    We choose to not repeat the text of the original openssl announcement, please see the original link https://www.openssl.org/news/secadv/20171207.txt if needed.

    Software which is using one of the library products identified which does not check return codes on socket operations before write activity on the socket may be vulnerable to this defect, thus transporting data in the clear as described in the vulnerability.


    This will only affect software that uses the following library versions:


        • HPE NonStop cF SSL Library, HPE NonStop cF SSL-AT Library versions AAV, AAW, AAX, ABA
        • comForte Securlib/SSL versions 0061, 0062, 0064, 0065, 0066
        • comForte Securlib/SSL-AT versions 1.12, 1.13, 1.15, 1.16, 1.17


    comForte will update the affected software in the next release. Customers using an affected version of the library should check that they are checking the return code on calls to socket functions (comForte Securlib/SSL-AT and HPE NonStop cF SSL-AT) or the SSL library functions (Securlib/SSL, HPE NonStop cF SSL Library).

     

  • Navigation

    Security News

    Take a look at the latest Security News. 

    Success Stories

    Take a look at the latest Success Stories.

    Company News

    Take a look at the latest Company News.

    Product News

    Take a look at the latest Product News.