On August 8, 2002, RSA Security released an RSA SecureCare alert regarding vulnerabilities in the RSA BSAFE SSL libraries. Covalent has determined that the RSA BSAFE Libraries used by Covalent SSL products are affected by these vulnerabilities. RSA has described three separate classes of vulnerabilities, two of which may impact Covalent customers.
Vulnerability 1: Buffer overflow in SSL V2 client key processing, originally described in CAN-2002-0656. This is only a concern if SSL V2 processing is enabled; see instructions below to disable SSL V2 processing in Covalent products.
Vulnerability 2: Incorrect parsing of malformed client certificate data, caused by errors in the ANS.1 libraries (CAN-2002-0659). This is only a concern if client certificate processing is enabled, which is rarely implemented by customers.
The third vulnerability announced by RSA affects only 64-bit programs running on 64-bit operating systems; no Covalent products are currently compiled in 64-bit mode.
Products Affected: All releases of Covalent SSL for Apache 1.3 and Apache 2.0 platforms:
- Covalent SSL 1.5.x - 1.6
- Covalent FastStart 2.x - 3.x
- Covalent Managed Server
- Covalent Secure Server
- Covalent Enterprise Ready Server
Covalent recommends that all Covalent SSL customers disable SSL V2 processing. SSL V2 is an older version of SSL that is rarely used by modern browsers-these browsers generally use either SSL v3 or TLS, neither of which is affected. To disable SSL V2 processing, modify the SSLCipherSuite directive(s) in your httpsd.conf file to read as follows:
CMP users should click the Edit icon under the Crytpographic Security - SSL on the VHOST properties page, and enter the following string into the SSL Handshake Cyphers text box:
Covalent customers using client certification authentication should contact Covalent support for further information. Covalent expects to provided updated SSL modules that will contain the long-term solution for these vulnerabilities.
For additional information, please contact Covalent at firstname.lastname@example.org, or log an incident through your on-line support console.