Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6030: Do CVE-2015-1794, CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196 vulnerabilities affect DirectControl?

Centrify DirectControl ,  

29 December,15 at 04:29 PM

Applies to:

All versions of Centrify DirectControl

Question:

Does the following Common Vulnerabilities and Exposures apply to Centrify DirectControl and if so how is Centrify going to handle them?

CVE-2015-1794 - ssl3_get_key_exchange function denial of service (segmentation fault)
CVE-2015-3193 - Montgomery squaring implementation mishandles carry propagation
CVE-2015-3194 - crypto/rsa/rsa_ameth.c in OpenSSL allows remote attackers to cause a denial of service
CVE-2015-3196 - ssl/s3_clnt.c when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure
CVE-2015-3195 - ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c mishandles errors caused by malformed X509_ATTRIBUTE data

Answer:

1. Centrify confirms that Common Vulnerabilities and Exposures listed below will not affect Centrify DirectControl for the following reason:

CVE-2015-1794
CVE-2015-3193
CVE-2015-3194
CVE-2015-3196

The above CVEs will affect openssl 1.0.x, but does NOT affect openssl 0.9.8 which is currently in use by Centrify DirectControl Suite 2015.1 and 2016


2. Centrify confirms that Vulnerability CVE-2015-3195 will not affect Centrify DirectControl for the following reason:

CVE-2015-3195 affects openssl 0.9.8 earlier than 0.9.8zh.
Centrify DirectControl Suite 2015.1 uses openssl 0.9.8zf.
Centrify DirectControl Suite 2016 uses openssl 0.9.8zg.

In addition, this CVE only affects applications that need to read Public-Key Cryptography Standards (PKCS#7) and Content Management System (CMS) data.

A malformed X509_ATTRIBUTE may cause client to crash (DOS). Centrify DirectControl does not do this and thus is NOT affected.


3. Centrify has a plan to upgrade to the latest 1.0.2X version in an upcoming release.

Additional information on the specifics of the listed CVE's can be found at the following websites: https://web.nvd.nist.gov and https://www.openssl.org/news/secadv/20151203.txt

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles