Applies to: All versions of Centrify DirectControl
Does the following Common Vulnerabilities and Exposures apply to Centrify DirectControl and if so how is Centrify going to handle them?
ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Memory corruption in the ASN.1 encoder (CVE-2016-2108)
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
EVP_EncryptUpdate overflow (CVE-2016-2106)
EVP_EncodeUpdate overflow (CVE-2016-2105)
EBCDIC overread (CVE-2016-2176)
(1) Openssl.org did not mention if 0.9.8 releases are at risk, given 0.9.8 is EOL'd 12/31/2015.
(2) Suite 2016.1 will upgrade to openssl 1.0.2g.
CVE-2016-2108 is no longer issue (fixed in 1.0.2c)
CVE-2016-2107 is rated high risk. we will apply patch to 1.0.2g for Suite 2016.1.
For the rest low risk issues, we will upgrade to openssl 1.0.2h or higher in later releases.