The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of OpenSSL: information disclosure via SSL_read/SSL_write After Error

Synthesis of the vulnerability 

An attacker can bypass access restrictions to data via SSL_read/SSL_write After Error of OpenSSL, in order to obtain sensitive information.
Vulnerable software: ProxySG par Blue Coat, SGOS by Blue Coat, ProxySG by Symantec, SGOS by Symantec, Debian, Unisphere EMC, FreeBSD, hMailServer, AIX, DB2 UDB, QRadar SIEM, Tivoli Storage Manager, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, MySQL Community, MySQL Enterprise, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Solaris, Tuxedo, VirtualBox, WebLogic, Percona Server, pfSense, RHEL, SIMATIC, Slackware, Synology DSM, Synology DS***, Synology RS***, Ubuntu, WinSCP, X2GoClient.
Severity of this announce: 1/4.
Creation date: 07/12/2017.
Références of this computer vulnerability: 2014324, bulletinapr2018, bulletinjan2018, CERTFR-2017-AVI-452, CERTFR-2018-AVI-376, cpuapr2018, cpujan2018, cpujul2018, cpujul2019, CVE-2017-3737, DSA-2020-062, DSA-4065-1, FreeBSD-SA-17:12.openssl, ibm10715641, ibm10716907, ibm10717405, ibm10717409, ibm10719113, ibm10738249, JSA10851, JSA10873, openSUSE-SU-2017:3345-1, openSUSE-SU-2018:0223-1, openSUSE-SU-2018:1057-1, RHSA-2018:0998-01, SA159, SSA-179516, SSA:2017-342-01, swg21647054, USN-3512-1, VIGILANCE-VUL-24697.

Description of the vulnerability 

An attacker can bypass access restrictions to data via SSL_read/SSL_write After Error of OpenSSL, in order to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity alert impacts software or systems such as ProxySG par Blue Coat, SGOS by Blue Coat, ProxySG by Symantec, SGOS by Symantec, Debian, Unisphere EMC, FreeBSD, hMailServer, AIX, DB2 UDB, QRadar SIEM, Tivoli Storage Manager, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, MySQL Community, MySQL Enterprise, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Fusion Middleware, Solaris, Tuxedo, VirtualBox, WebLogic, Percona Server, pfSense, RHEL, SIMATIC, Slackware, Synology DSM, Synology DS***, Synology RS***, Ubuntu, WinSCP, X2GoClient.

Our Vigil@nce team determined that the severity of this weakness is low.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this security weakness.

Solutions for this threat 

OpenSSL: version 1.0.2n.
The version 1.0.2n is fixed:
  https://www.openssl.org/

Debian 9: new openssl1.0 packages.
New packages are available:
  Debian 9: openssl1.0 1.0.2l-2+deb9u2

Dell EMC Unisphere for PowerMax: solution.
The solution is indicated in information sources.

FreeBSD: patch for OpenSSL.
A patch is available:
  https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch
  https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch

hMailServer: version 5.6.7.
The version 5.6.7 is fixed:
  https://www.hmailserver.com/download_getfile/?performdownload=1&downloadid=262

IBM AIX: patch for OpenSSL.
A patch is available:
  https://aix.software.ibm.com/aix/efixes/security/openssl_fix25.tar

IBM Cognos Analytics: version 11.0.13.0.
The version 11.0.13.0 is fixed:
  https://www-01.ibm.com/support/docview.wss?uid=ibm10718809

IBM Cognos Business Intelligence: patch.
A patch is indicated in information sources.

IBM DB2: solution for OpenSSL.
The solution is indicated in information sources.

IBM DB2: version 10.5 Fix Pack 10.
The version 10.5 Fix Pack 10 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24045012

IBM QRadar SIEM: patch for OpenSSL.
A patch is indicated in information sources.

IBM Spectrum Protect: solution for OpenSSL.
The solution is indicated in information sources.

IBM Tivoli Storage Manager: patch for OpenSSL.
A patch is indicated in information sources.

Junos, NSM: solution for OpenSSL.
The solution is indicated in information sources.

Junos Space: solution.
The solution is indicated in information sources.

MariaDB: version 10.0.34.
The version 10.0.34 is fixed:
  https://mariadb.com/downloads/mariadb-tx

MySQL: version 5.5.59.
The version 5.5.59 is fixed:
  https://support.oracle.com/rs?type=doc&id=2336646.1
  https://dev.mysql.com/downloads/mysql/

MySQL: version 5.6.39.
The version 5.6.39 is fixed:
  https://support.oracle.com/rs?type=doc&id=2336646.1
  https://dev.mysql.com/downloads/mysql/

MySQL: version 5.7.21.
The version 5.7.21 is fixed:
  https://support.oracle.com/rs?type=doc&id=2336646.1
  https://dev.mysql.com/downloads/mysql/

openSUSE Leap 42.3: new virtualbox packages.
New packages are available:
  openSUSE Leap 42.3: virtualbox 5.1.36-50.1

openSUSE Leap: new mysql-community-server packages.
New packages are available:
  openSUSE Leap 42.3: mysql-community-server 5.6.39-33.1
  openSUSE Leap 42.2: mysql-community-server 5.6.39-24.15.1

openSUSE Leap: new openssl packages.
New packages are available:
  openSUSE Leap 42.2: openssl 1.0.2j-6.9.1
  openSUSE Leap 42.3: openssl 1.0.2j-16.1

Oracle Communications: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2559239.1
  https://support.oracle.com/rs?type=doc&id=2563691.1
  https://support.oracle.com/rs?type=doc&id=2559240.1
  https://support.oracle.com/rs?type=doc&id=2559722.1
  https://support.oracle.com/rs?type=doc&id=2559225.1
  https://support.oracle.com/rs?type=doc&id=2559721.1
  https://support.oracle.com/rs?type=doc&id=2559256.1
  https://support.oracle.com/rs?type=doc&id=2559242.1
  https://support.oracle.com/rs?type=doc&id=2559243.1
  https://support.oracle.com/rs?type=doc&id=2559648.1

Oracle Fusion Middleware: CPU of April 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2353306.1

Oracle MySQL: version 5.5.60.
The version 5.5.60 is fixed:
  https://support.oracle.com/rs?type=doc&id=2375344.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.5.61.
The version 5.5.61 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.6.40.
The version 5.6.40 is fixed:
  https://support.oracle.com/rs?type=doc&id=2375344.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.6.41.
The version 5.6.41 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.7.22.
The version 5.7.22 is fixed:
  https://support.oracle.com/rs?type=doc&id=2375344.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 5.7.23.
The version 5.7.23 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle MySQL: version 8.0.12.
The version 8.0.12 is fixed:
  https://support.oracle.com/rs?type=doc&id=2417138.1
  https://dev.mysql.com/downloads/mysql/

Oracle Solaris: patch for third party software of April 2018 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Oracle Solaris: patch for third party software of January 2018 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Oracle VM VirtualBox: version 5.1.36.
The version 5.1.36 is fixed:
  https://www.virtualbox.org/

Oracle VM VirtualBox: version 5.2.10.
The version 5.2.10 is fixed:
  https://www.virtualbox.org/

Percona Server for MySQL: version 5.5.59-38.11.
The version 5.5.59-38.11 is fixed:
  https://www.percona.com/

Percona Server for MySQL: version 5.5.60-38.12.
The version 5.5.60-38.12 is fixed:
  https://www.percona.com/

Percona Server for MySQL: versions 5.6.39-83.1 and 5.7.21-20.
Versions 5.6.39-83.1 and 5.7.21-20 are fixed.

Percona Server: version 5.7.22-22.
The version 5.7.22-22 is fixed:
  https://www.percona.com/doc/percona-server/5.7/installation.html

Percona XtraDB Cluster: version 5.7.22-29.26.
The version 5.7.22-29.26 is fixed:
  http://www.percona.com/downloads/Percona-XtraDB-Cluster-57/

pfSense: version 2.3.5-p1.
The version 2.3.5-p1 is fixed:
  https://www.pfsense.org/download/

pfSense: version 2.4.2-p1.
The version 2.4.2-p1 is fixed:
  https://www.pfsense.org/download/

ProxySG: solution for OpenSSL.
The solution is indicated in information sources.

RHEL 7: new openssl packages.
New packages are available:
  RHEL 7: openssl 1.0.2k-12.el7

Siemens SIMATIC: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8zh-*-2_slack13.0
  Slackware 13.1: openssl 0.9.8zh-*-2_slack13.1
  Slackware 13.37: openssl 0.9.8zh-*-2_slack13.37
  Slackware 14.0: openssl 1.0.1u-*-1_slack14.0
  Slackware 14.1: openssl 1.0.1u-*-1_slack14.1
  Slackware 14.2: openssl 1.0.2n-*-1_slack14.2

Synology DS/RS: version 6.1.4-15217-3.
The version 6.1.4-15217-3 is fixed:
  https://www.synology.com/

Ubuntu: new libssl1.0.0 packages.
New packages are available:
  Ubuntu 17.10: libssl1.0.0 1.0.2g-1ubuntu13.3
  Ubuntu 17.04: libssl1.0.0 1.0.2g-1ubuntu11.4
  Ubuntu 16.04 LTS: libssl1.0.0 1.0.2g-1ubuntu4.10

WinSCP: version 5.11.3.
The version 5.11.3 is fixed:
  https://sourceforge.net/p/winscp/

X2Go Client: version 4.1.2.0.
The version 4.1.2.0 is fixed:
  https://wiki.x2go.org/doku.php
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer security patches. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.