KB Article | Forcepoint Support

Problem Description

KBA Severity
CVE-2018-0734 – Medium
CVE-2019-1559 – Medium

CVE Numbers

KBA Summary
OpenSSL vulnerabilities.
Affected Products
Forcepoint Sidewinder

KBA Detailed Information
The following descriptions are from NIST.

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

CVE References


Hotfix and Information About Other Fixes

The following patches are available to resolve these vulnerabilities:
 Sidewinder 8.3.2
CVE-2018-07347.0.1.03E1268.3.2E182* or 8.3.2P12
CVE-2019-1559* or 8.3.2P12
*indicates patch is obsoleted by a newer patch

Sidewinder download information
User name:     atl-963845ro
User password: 34bT4hF3AFJn
Server name:   csftp.us.stonesoft.com

Article Feedback

Thank you for the feedback and comments.