OpenSSL 1.0.1t updates for NetIQ Access Manager

  • 7017583
  • 06-May-2016
  • 10-May-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1

Situation

The OpenSSL open source project team recently released an update to 1.0.1t with a number of fixes (https://www.openssl.org/news/openssl-1.0.1-notes.html). The Access Gateway component of Access Manager uses this library for cryptographic functions. It is recommended that all the Access Gateways be updated with this latest OpenSSL patch, using the instructions below, to avoid any concerns.

Resolution

Depending on the Access Gateway platform, different approaches are required to apply the fix.

a) On an Access Manager or Access Gateway Appliance platform: Simply apply the security updates from the Security update channel to have the latest patches applied. The instructions at https://www.netiq.com/documentation/access-manager-42/install_upgrade/data/bowu0bx.html outline how to do this.

b) On a Linux based Access Gateway Service (SLES or RHEL): Apply the instructions from KB 7017580, passing in the filename of novell-nacm-apache-extra-4.0.8-1.0.1t to update to OpenSSL 1.0.1t.

c) On a Windows based Access Gateway Service:  Apply the instructions from KB 7017582, passing in the filename of novell Openssl_Win_101 to update to OpenSSL 1.0.1t.

Additional Information

OpenSSL 1.0.1t addresses following CVEs:
  • Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
  • Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
  • Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
  • Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
  • EBCDIC overread (CVE-2016-2176)
  • Modify behavior of ALPN to invoke callback after SNI/servername callback, such that updates to the SSL_CTX affect ALPN.
  • Remove LOW from the DEFAULT cipher list. This removes singles DES from the default.
  • Only remove the SSLv2 methods with the no-ssl2-method option.