Severity
Critical
Description
Security research has disclosed that there is a vulnerability that would allow a low privileged user on a Windows system to load malicious OpenSSL code. In addition, there is a related vulnerability which enables similar access on Linux.
APTARE IT Analytics versions 10.5 and 10.4 may be affected.
Veritas will communicate any new and updated information as soon as we discover and verify the information. Questions and comments are welcomed and should be directed to Veritas Support
Action Required
Please refer to the Master Advisory for more details on the security advisory and recommended action.
Further information see APTARE IT Analytics Advisory.
Manual Mitigation Steps
The manual steps for mitigation are as follows:
Windows
Aptare 10.4:
- Open a new powershell window with Run as Administrator option
- If c:\apache24\conf\openssl.cnf is present, ensure that the file is required and the contents are correct. If not, rename the file
# Rename-Item -Path c:\apache24\conf\openssl.cnf -NewName c:\apache24\conf\openssl.cnf_renamed
- Create c:\apache24\conf if not present
# New-Item -ItemType directory -Path c:\apache24\conf
- Set ACLs so that only Administrator can access the directory c:\apache24\conf\
# $acl = Get-Acl c:\apache24\conf; $acl.SetAccessRuleProtection($true,$false); Set-Acl c:\apache24\conf $acl
- Delete the openssl binary
# Remove-Item -Path c:\opt\apache\bin\openssl.exe
Aptare 10.5 and Newer:
- Open a new powershell window with Run as Administrator option.
- If C:\usr\local\ssl\openssl.cnf is present, ensure that the file is required and the contents are correct. If not, rename the file
# Rename-Item -Path C:\usr\local\ssl\openssl.cnf -NewName C:\usr\local\ssl\openssl.cnf_renamed
- Create C:\usr\local\ssl if not present
# New-Item -ItemType directory -Path C:\usr\local\ssl
- Set ACLs so that only Administrator can access the directory c:\apache24\conf\
# $acl = Get-Acl C:\usr\local\ssl; $acl.SetAccessRuleProtection($true,$false); Set-Acl C:\usr\local\ssl $acl
- Delete the openssl binary
# Remove-Item -Path c:\opt\apache\bin\openssl.exe
Linux
- Using a terminal session
# sudo su -# rm /opt/apache/ssl/bin/openssl
- If /usr/local/ssl/openssl.cnf file is present, Ensure that the file required and the contents are correct. If not, rename the file
# mv /usr/local/ssl/openssl.cnf /usr/local/ssl/openssl.cnf_renamed
- Create /usr/local/ssl if not present
# mkdir /usr/local/ssl
- Set permission only for root
# chown -R root:root /usr/local/ssl# chmod -R o-rwx /usr/local/ssl
War dieser Inhalt hilfreich?
Übersetzter Inhalt
Bitte beachten Sie, dass dieses Dokument aus dem Englischen übersetzt wurde und es sich möglicherweise um eine Maschinenübersetzung handelt. Es ist möglich, dass nach Übersetzung und Veröffentlichung dieses Dokuments Aktualisierungen der ursprünglichen Version vorgenommen wurden. Veritas übernimmt keine Garantie für die Genauigkeit hinsichtlich der Vollständigkeit der Übersetzung. Sie können auch die englische Version dieses Supportdatenbank-Artikels heranziehen, um aktuelle Informationen zu erhalten.