U2 Security Bulletin – Impact of OpenSSL Vulnerability CVE-2022-0778 in Rocket U2 Products

The Rocket MultiValue U2 team has evaluated the OpenSSL infinite loop vulnerability (CVE-2022-0778) since U2 products incorporate OpenSSL. OpenSSL versions prior to 1.0.2zd, 1.1.1n and 3.0.2 are susceptible to this vulnerability.

This vulnerability could cause the OpenSSL library to enter an infinite loop while parsing an invalid certificate creating the possibility for a Denial-of-Service (DoS) attack on the impacted Rocket U2 products. An attacker does not need a verified certificate to exploit this vulnerability as parsing a bad certificate would trigger the infinite loop before the verification process is completed.

Impact to U2

UniVerse, UniData and U2 Common Clients are impacted by this vulnerability as they use OpenSSL versions prior to 1.0.2zd, 1.1.1n and 3.0.2.

  • All versions and builds of UniVerse
  • All versions and builds of UniData
  • All versions and builds of U2 Common Clients.

Solution

OpenSSL software foundation fixed this vulnerability in OpenSSL 1.0.2zd,1.1.1n and 3.0.2.

Because OpenSSL 1.0.2 reached the EOL stage at the end of 2019, we have no plan to upgrade older versions of UniVerse, UniData and U2 Common Client that use OpenSSL 1.0.2. Our plan is to upgrade the versions of UniVerse, UniData and U2 Common Client using OpenSSL 1.1.1 to 1.1.1n.

We highly recommend that customers using UniVerse 11.3.1 and earlier or UniData 8.2.1 and earlier upgrade to the latest versions to benefit from the fixes.

Affected Products Affected Versions Fix In Version Release Date
 

UniVerse

11.3.1 and earlier No plan to fix in 11.3.1 or earlier versions.
11.3.2 11.3.2.7010 June 13, 2022
11.3.3 11.3.3.8001 June 3, 2022
11.3.4 11.3.4.9005 June 1, 2022
12.1.1 12.2.1 August, 2022
UniData 8.2.1 and earlier No plan to fix in 8.2.1 or earlier versions.
8.2.2 8.2.2.1003 June, 2022
8.2.3 8.2.3.2003 June, 2022
U2 Common Clients 5.2.1 and earlier 5.3.0 August, 2022

If you’re running UniVerse or UniData, please plan an upgrade! If your maintenance contract is current, please visit RBC to download the fixed version. If your maintenance contract has lapsed, please contact your Rocket sales rep and we’ll help you get current.

Shuangfeng Han 1 Posts

As the U2 Quality Manager, he works closely with the U2 development team in Dalian, China He's been working in the MultiValue industry for 9 years, mainly focusing on U2 releases and quality. Outside of work, he's interested in watching soccer games, BBQ and beer, and going on outings with his family.

0 Comments

Leave a Comment

Your email address will not be published.