Do CVE-2015-1794, CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3195 and CVE-2015-3196 vulnerabilities affect DirectControl?
Applies to:
All versions of Centrify DirectControl
Question:
Does the following Common Vulnerabilities and Exposures apply to Centrify DirectControl and if so how is Centrify going to handle them?
CVE-2015-1794 - ssl3_get_key_exchange function denial of service (segmentation fault) CVE-2015-3193 - Montgomery squaring implementation mishandles carry propagation CVE-2015-3194 - crypto/rsa/rsa_ameth.c in OpenSSL allows remote attackers to cause a denial of service CVE-2015-3196 - ssl/s3_clnt.c when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure CVE-2015-3195 - ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c mishandles errors caused by malformed X509_ATTRIBUTE data
Answer:
1. Centrify confirms that Common Vulnerabilities and Exposures listed below will not affect Centrify DirectControl for the following reason:
The above CVEs will affect openssl 1.0.x, but does NOT affect openssl 0.9.8 which is currently in use by Centrify DirectControl Suite 2015.1 and 2016
2. Centrify confirms that Vulnerability CVE-2015-3195 will not affect Centrify DirectControl for the following reason:
CVE-2015-3195 affects openssl 0.9.8 earlier than 0.9.8zh. Centrify DirectControl Suite 2015.1 uses openssl 0.9.8zf. Centrify DirectControl Suite 2016 uses openssl 0.9.8zg.
In addition, this CVE only affects applications that need to read Public-Key Cryptography Standards (PKCS#7) and Content Management System (CMS) data.
A malformed X509_ATTRIBUTE may cause client to crash (DOS). Centrify DirectControl does not do this and thus is NOT affected.
3. Centrify has a plan to upgrade to the latest 1.0.2X version in an upcoming release.
Additional information on the specifics of the listed CVE's can be found at the following websites: https://web.nvd.nist.gov and https://www.openssl.org/news/secadv/20151203.txt