Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6864: Do CVE-2016-2109, CVE-2016-2108, CVE-2016-2107,CVE-2016-2106, CVE-2016-2105, CVE-2016-2176 vulnerabilities affect Centrify DirectControl?

5 May,16 at 09:44 AM

Applies to: All versions of Centrify DirectControl

Question:

Does the following Common Vulnerabilities and Exposures apply to Centrify DirectControl and if so how is Centrify going to handle them?

 
ASN.1 BIO excessive memory allocation (CVE-2016-2109)
Memory corruption in the ASN.1 encoder (CVE-2016-2108)
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
EVP_EncryptUpdate overflow (CVE-2016-2106)
EVP_EncodeUpdate overflow (CVE-2016-2105)
EBCDIC overread (CVE-2016-2176)

Answer:

(1) Openssl.org did not mention if 0.9.8 releases are at risk, given 0.9.8 is EOL'd 12/31/2015.

(2) Suite 2016.1 will upgrade to openssl 1.0.2g. 

CVE-2016-2108 is no longer issue (fixed in 1.0.2c)
CVE-2016-2107 is rated high risk. we will apply patch to 1.0.2g for Suite 2016.1.

For the rest low risk issues, we will upgrade to openssl 1.0.2h or higher in later releases.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles