Security Advisory for Covalent SSL Customers

Wednesday Aug 14th 2002 by Wayne Kawamoto
Share:

RSA Security has issued an advisory for RSA's SSL-C libraries, which are used in Covalent's SSL products.

RSA Security has issued an advisory for RSA's SSL-C libraries, which are used in Covalent's SSL products.

Products Affected: All releases of Covalent SSL for Apache 1.3 and Apache 2.0 platforms:

  • Covalent SSL 1.5.x - 1.6
  • Covalent FastStart 2.x - 3.x
  • Covalent Managed Server
  • Covalent Secure Server
  • Covalent Enterprise Ready Server
Description
On August 8, 2002, RSA Security released a RSA SecureCare alert regarding vulnerabilities in the RSA BSAFE SSL libraries. Covalent has determined that the RSA BSAFE Libraries used by Covalent SSL products are affected by these vulnerabilities. RSA has described three separate classes of vulnerabilities, two of which may impact Covalent customers. Vulnerability 1: Buffer overflow in SSL V2 client key processing, originally described in CAN-2002-0656. This is only a concern if SSL V2 processing is enabled; see instructions below to disable SSL V2 processing in Covalent products. Vulnerability 2: Incorrect parsing of malformed client certificate data, caused by errors in the ANS.1 libraries (CAN-2002-0659). This is only a concern if client certificate processing is enabled, which is rarely implemented by customers. The third vulnerability announced by RSA affects only 64-bit programs running on 64-bit operating systems; no Covalent products are currently compiled in 64-bit mode.

Covalent Response
Covalent recommends that all Covalent SSL customers disable SSL V2 processing. SSL V2 is an older version of SSL that is rarely used by modern browsers; these browsers generally use either SSL v3 or TLS, neither of which is affected. To disable SSL V2 processing, modify the SSLCipherSuite directive(s) in your httpsd.conf file to read as follows:

    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL:!SHA 

CMP users should click the Edit icon under the Crytpographic Security - SSL on the VHOST properties page, and enter the following string into the SSL Handshake Cyphers text box:

    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:!SSLv2:+EXP:+eNULL:!SHA

Covalent customers using client certification authentication should contact Covalent support for further information. Covalent expects to provided updated SSL modules beginning the week of August 26th that will contain the long-term solution for these vulnerabilities. If you have additional questions, please contact Covalent at support@covalent.net, or log an incident through your on-line support console.
Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved