Cyber Security Solutions for Data Centre and Cloud Security

Apr 19, 2012

OpenSSL Security Advisory 19Apr 2012 (CVE-2012-2110)


OpenSSL Security Advisory 19Apr 2012 (CVE-2012-2110)

On 19th April 2012 the OpenSSL project published the above advisory. Assuria's products use TLS and cryptographic functionality provided by this widely-used OpenSSL library and this information release is to update customers about this matter.

Category: General
Posted by: assuria

 

OpenSSL Security Advisory 19Apr 2012 (CVE-2012-2110)

The TLS and cryptographic functionality in Assuria's products are provided by the widely-used OpenSSL library. On 19th April 2012 the OpenSSL project published a security advisory concerning a vulnerability in the code that parses X.509 certificates and PKCS#12 keystores:

http://www.openssl.org/news/secadv_20120419.txt

Further information is available on the Full Disclosure mailing list:

http://seclists.org/fulldisclosure/2012/Apr/210

Based on the available information, the vulnerability appears to involve the parsing of keys and/or certificates from disk. Assuria therefore considers Assuria Log Manager to be affected by this vulnerability if its keys or certificates are not appropriately secured. However, Assuria Log Manager software by default does not allow non-administrator/root users to modify keys or certificates. Assuria are currently building and testing updated versions of the affected software packages with a non-vulnerable version of OpenSSL.

Assuria Auditor uses only the PEM routines which are not affected by this vulnerability.

However for Assuria Log Manager and Assuria Auditor users, we recommend that customers check the permissions on their key and certificate files to verify that untrusted users can not modify them. For Assuria Auditor customers Assuria will issue a check that will verify that permissions are correctly set on the certificate files.

Customers with further questions should contact Assuria Support <support@assuria.com>.

assuria litd - tech support and software
© Copyright 2013  Assuria Limited.  All rights reserved worldwide.