OpenSSL 1.0.2j updates for NetIQ Access Manager

The OpenSSL open source project team recently released an update to 1.0.2j with a number of fixes (https://www.openssl.org/news/openssl-1.0.2-notes.html). The Access Gateway component of Access Manager uses this library for cryptographic functions. It is recommended that all the Access Gateways be updated with this latest OpenSSL patch, using the instructions below, to avoid any concerns.

Depending on the Access Gateway platform, different approaches are required to apply the fix.

a) On an Access Manager or Access Gateway Appliance platform: Simply apply the security updates from the Security update channel to have the latest patches applied. The instructions at https://www.netiq.com/documentation/access-manager-42/install_upgrade/data/bowu0bx.html outline how to do this.

b) On a Linux based Access Gateway Service (SLES or RHEL): Apply the instructions from KB 7017580, passing in the filename of novell-nacm-apache-extra-4.1.3-1.0.2j to update to OpenSSL 1.0.2j.

c) On a Windows based Access Gateway Service:  Apply the instructions from KB 7017582, passing in the filename of  Openssl_Win_102j to update to OpenSSL 1.0.2j.

OpenSSL 1.0.2j addresses following CVEs:

• Missing CRL sanity check (CVE-2016-7052)
• OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
• SWEET32 Mitigation (CVE-2016-2183)
• OOB write in MDC2_Update() (CVE-2016-6303)
• Malformed SHA512 ticket DoS (CVE-2016-6302)
• OOB write in BN_bn2dec() (CVE-2016-2182)
• OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
• Pointer arithmetic undefined behaviour (CVE-2016-2177)
• Constant time flag not preserved in DSA signing (CVE-2016-2178)
• DTLS buffered message DoS (CVE-2016-2179)
• DTLS replay protection DoS (CVE-2016-2181)
• Certificate message OOB reads (CVE-2016-6306)