OpenSSL 19-Mar-2015 Security Release Vulnerabilities and FREAK

  • Document ID:7021977
  • Creation Date:20-Mar-2015
  • Modified Date:02-Mar-2018
    • Micro Focus Products:
      Extra!
      Host Access for the Cloud (Reflection ZFE)
      Host Access Management and Security Server (MSS)
      InfoConnect Airlines Gateway
      InfoConnect Enterprise Edition
      InfoConnect Print and Transaction Router (PTR)
      Reflection Desktop
      Reflection for Secure IT Client and Server for UNIX
      Reflection for Secure IT Client for Windows
      Reflection for Secure IT Gateway
      Reflection for Secure IT Server for Windows
      Reflection for the Web
      Reflection X (legacy 14.1)
      Reflection X Advantage
      Verastream Bridge Integrator (VBI)
      Verastream Host Integrator (VHI)
      Verastream Process Designer (VPD)

Environment

All Attachmate products

Situation

On 19-Mar-2015, the OpenSSL development team (OpenSSL.org) released new libraries that fix eleven reported vulnerabilities, and reclassified a FREAK vulnerability. This technical note lists applicable vulnerabilities and provides links to additional information.

Resolution

Security Release Vulnerabilities Overview

Five of the eleven new OpenSSL vulnerabilities do not apply as Attachmate products do not yet use the OpenSSL 1.0.2 branch library. Another is a functionality that is not enabled in the Attachmate products and also does not apply.

Product development teams have been investigating the remaining vulnerabilities and their applicability to our products. They are:

CVE-2015-0292: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292
CVE-2015-0289: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289
CVE-2015-0288: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0288
CVE-2015-0287: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0287
CVE-2015-0286: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0286
CVE-2015-0208: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0208

FREAK Vulnerability Update

OpenSSL has reclassified a fix for the FREAK vulnerability (CVE-2015-0204) from Low to High: RSA silently downgrades to EXPORT_RSA [Client].

Product Status

The following table provides status information for Attachmate products, as of the Last Reviewed date of this document.

Product
More Info
Extra!
See Security Alerts - Extra!
InfoConnect products
See https://support.microfocus.com/security/
Reflection 2014 products
See Security Alerts - Reflection Desktop
Reflection 14.1 products
See https://support.microfocus.com/security/
Reflection for Secure IT Client for Windows
See https://support.microfocus.com/security/
Reflection for Secure IT Server for Windows
Not vulnerable beginning in version 8.2 hotfix build 131; see https://support.microfocus.com/security/
Reflection for Secure IT UNIX Client and Server
See https://support.microfocus.com/security/
Reflection for UNIX (iOS/Android)
Not vulnerable
Reflection for the Web products
Not vulnerable
Reflection Security Gateway products
Not vulnerable
Reflection ZFE
Not vulnerable
FileXpress Gateway
Not vulnerable beginning in version 1.0 hotfix build 368; see Security Alerts - Reflection for Secure IT Gateway
Verastream Host Integrator
Not vulnerable beginning in version 7.7.30; see https://support.microfocus.com/security/.
Verastream Process Designer
Not vulnerable
Verastream Terminal Client
Not vulnerable
Verastream Bridge Integrator
Not vulnerable

References

For more information, please refer to these OpenSSL.org resources:

Status

Security Alert

Additional Information

Legacy KB ID

This article was originally published as Attachmate technical note 2788.