Operating System - OpenVMS
1748045 Members
4814 Online
108757 Solutions
New Discussion

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

 
John Nebel
Occasional Contributor

SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Is there a patch available for the recent SSL exploits not fixed in  the 0.9.8h version built into SWS v2.2?

 

CVE-2010-4180 and CVE-2008-7270

 

John Nebel

6 REPLIES 6
Ian Miller.
Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you log a call then HP support can tell you and supply the patch if there is one,.

____________________
Purely Personal Opinion
Hoff
Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Here's a collection of CVE listings I've collected from recent HP security announcements.

 

CVE-2010-4180 is listed.   CVE-2008-7270 is not.

 

Ring up HP support for the official answer.

John Nebel
Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

Thanks, I did open a case.

 

Since SWS has its own SSL,  SSL V1.4-453 does not fix the CVE-2010-4180 exploit for SWS.

 

Best,

 

John

John Nebel
Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

Hoff,

 

According to HP these two are not patched and have been referred to engineering.  I've discovered a workaround and that is to turn off the SSLSessionCache.

 

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
SSLSessionCache        none
#SSLSessionCache        shm:logs/ssl_scache(512000)
#SSLSessionCache         dbm:logs/ssl_scache
#SSLSessionCacheTimeout  300

 

Best,

 

John

Hoff
Honored Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

If you are concerned around the status of SSL CVEs within Apache, consider a more detailed investigation into the current status, development plans, and remediation plans for OpenVMS and its web-facing and security-related components.

 

John Nebel
Occasional Contributor

Re: SWS patches for CVE-2010-4180 and CVE-2008-7270 ?

A new Apache ECO is available which incorporates OpenSSL 0.9.8o and is linked from:

 

http://h71000.www7.hp.com/openvms/products/ips/apache/csws_patches.html

John Nebel