Systemwalker Runbook Automation: Vulnerability in processing ofChangeCipherSpec messages in OpenSSL(CVE-2014-0224). June 13th, 2014
1. Description
In In the case of the following functions and conditions of Systemwalker Runbook Automation, a vulnerability problem exists in handling the messages of Change Cipher Spec in OpenSSL.
- The version and level of Systemwalker Runbook Automation is one of following, and
- V14.1.0 or,
- V14.1.0A
- Using "Perform REST-based communication" Operation Components, and
- "https" has been specified in "protocoltype" option. and
- The Managed Server taking REST-based communication uses the following version of OpenSSL. <<ul class="list-a">
- 1.0.1 through 1.0.1g
Or,
- Creating Operation Components with using "rest_request" or "rest_request_basic" communication library, and
- "https" has been specified in "protocoltype" option. and
- The Managed Server taking REST-based communication uses the following version of OpenSSL.
- 1.0.1 through 1.0.1g
The workaround shown in 3-3. are provided, and Fujitsu requests that these be applied promptly.
2. Impact
The communication data of Systemwalker Runbook Automation can be decoded or falsified by man-in-the-middle attack.
Please refer to the public information of JVN described in "4. Related information" for the severity of this vulnerability.
3. Affected systems and corresponding action
3-1. Affected systems:
PRIMERGY, GP5000, PRIMEQUEST, CELSIUS, FMV
| Products | Version | Target OS | Package name | Patch ID. |
|---|---|---|---|---|
| Systemwalker Runbook Automation | 14.1.0/14.1.0A | Windows Server 2003 R2(x86)/ Windows Server 2003 R2(x64)/ Windows Server 2008(x86)/ Windows Server 2008(x64)/ Windows Server 2008 R2(x86)/ Windows Server 2008 R2(x64) | - | Pending* |
| Systemwalker Runbook Automation | 15.0.0/15.0.0A | Windows Server 2003 R2(x86)/ Windows Server 2003 R2(x64)/ Windows Server 2008(x86)/ Windows Server 2008(x64)/ Windows Server 2008 R2(x86)/ Windows Server 2008 R2(x64)/ Windows Small Business Server 2011 | - | Pending* |
| Systemwalker Runbook Automation | 15.0.0 | RHEL5(for x86)/ RHEL5(for Intel64)/ RHEL6(for x86)/ RHEL6(for Intel64) | - | Pending* |
| Systemwalker Runbook Automation | 15.1.0 | Windows Server 2003 R2(x86)/ Windows Server 2003 R2(x64)/ Windows Server 2008(x86)/ Windows Server 2008(x64)/ Windows Server 2008 R2(x86)/ Windows Server 2008 R2(x64)/ Windows Small Business Server 2011 | - | Pending* |
| Systemwalker Runbook Automation | 15.1.0 | RHEL5(for x86)/ RHEL5(for Intel64)/ RHEL6(for x86)/ RHEL6(for Intel64) | - | Pending* |
| Systemwalker Runbook Automation | 15.1.1 | Windows Server 2003 R2(x86)/ Windows Server 2003 R2(x64)/ Windows Server 2008(x86)/ Windows Server 2008(x64)/ Windows Server 2008 R2(x86)/ Windows Server 2008 R2(x64)/ Windows Small Business Server 2011 | - | Pending* |
| Systemwalker Runbook Automation | 15.1.1 | RHEL5(for x86)/ RHEL5(for Intel64)/ RHEL6(for x86)/ RHEL6(for Intel64) | - | Pending* |
| Systemwalker Runbook Automation | 15.1.2 | Windows Server 2003 R2(x86)/ Windows Server 2003 R2(x64)/ Windows Server 2008(x86)/ Windows Server 2008(x64)/ Windows Server 2008 R2(x86)/ Windows Server 2008 R2(x64)/ Windows Server 2012 (x64)/ Windows Small Business Server 2011 | - | Pending* |
| Systemwalker Runbook Automation | 15.1.2 | RHEL5(for x86)/ RHEL5(for Intel64)/ RHEL6(for x86)/ RHEL6(for Intel64) | - | Pending* |
| Systemwalker Runbook Automation | 15.1.3 | Windows Server 2003 R2(x86)/ Windows Server 2003 R2(x64)/ Windows Server 2008(x86)/ Windows Server 2008(x64)/ Windows Server 2008 R2(x86)/ Windows Server 2008 R2(x64)/ Windows Server 2012 (x64)/ Windows Server 2012 R2(x64)/ Windows Small Business Server 2011 | - | Pending* |
| Systemwalker Runbook Automation | 15.1.3 | RHEL5(for x86)/ RHEL5(for Intel64)/ RHEL6(for x86)/ RHEL6(for Intel64) | - | Pending* |
For the solution, please refer to the following "3-3. Workaround".
Note: Determining the affected product
How to confirm the version level of the product which you are using is as below.
How to confirm the version level of the product:
If the server is Windows:
- From the Start menu, select All Programs or All Applications, Fujitsu, Uninstallation and Management(middleware).
- Confirm the version level of Systemwalker Runbook Automation.
Or,
- Double-click Add/Remove Programs or Add or Remove Programs in Control Panel.
- Confirm the version level of Systemwalker Runbook Automation.
If the server is Linux:
- Confirm the version level by Uninstallation and Management(middleware).
Run the following command from the Console.
# /opt/FJSVcir/cir/bin/cimanager.sh -c
Or,
- Run the following command from the Console.
The package name can be confirmed in Release Note.
# rpm -iq package-name
Example: When you confirm the version level of Manager:
# rpm -iq FJSVswrbam
3-3. Workaround
- To avoid the influence, the version of OpenSSL for Managed Server using REST communication can be changed to the following,
- 1.0.1h or later
4. Related information
- National Vulnerability Database (NVD): CVE-2014-0224
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224
5. Revision history
- June 13th, 2014: Initial release
