DataDirect ODBC and OpenSSL vulnerabilities CVE-2018-0734 and CVE-2018-0735

Printable View

Information

Title	DataDirect ODBC and OpenSSL vulnerabilities CVE-2018-0734 and CVE-2018-0735

URL Name	DataDirect-ODBC-and-OpenSSL-vulnerabilities-CVE-2018-0734-and-CVE-2018-0735

Article Number	000114217

Environment	Product: Connect64 for ODBC drivers Version: 07.16.x OS: All supported platforms Database: All supported databases Application: All supported applications

Question/Problem Description

Are the drivers affected by the OpenSSL vulnerabilities below?
If so, is there any remediation available?
Since these are low priority OpenSSL has not published a new build for them. Does Progress have any plans in place regarding an OpenSSL upgrade?

CVE-2018-0734 https://www.openssl.org/news/secadv/20181030.txt
CVE-2018-0735 https://www.openssl.org/news/secadv/20181029.txt

Steps to Reproduce

Clarifying Information

Error Message

Defect Number

Enhancement Number

Cause

Resolution

The default OpenSSL library version has been updated to 1.0.2r, which fixes the
following security vulnerabilities:

* Timing vulnerability in DSA signature generation (CVE-2018-0734)

A newer version of the OpenSSL library, 1.1.1d, is now installed with the
product. In addition to fixing multiple new vulnerabilities, version 1.1.1d
also addresses the vulnerabilities resolved by version 1.0.2r.

The default version of the OpenSSL library, 1.0.2r, has reached the end of its
product life-cycle and has been upgraded to version 1.1.1d. In addition to
receiving full update support, version 1.1.1d fixes the following security
vulnerabilities:

* Timing vulnerability in ECDSA signature generation (CVE-2018-0735)

Workaround

Notes

References to other documentation:
Refer to the Datadirect ReadMe Files https://www.progress.com/documentation/datadirect-connectors

Last Modified Date	3/27/2020 6:17 AM

Files

Disclaimer

The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.

Progress, Telerik, Ipswitch, Chef, Kemp, Flowmon and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

Sitefinity

NativeChat

Kendo UI

Telerik

Test Studio

Fiddler Everywhere

Chef

MOVEitNew Release

WS_FTP

OpenEdge

Kinvey

WhatsUp Gold

DataDirect

Corticon

Kemp

Flowmon

DataDirect ODBC and OpenSSL vulnerabilities CVE-2018-0734 and CVE-2018-0735

Information

MOVEit
New Release