#28 Critical Fix: JADE 6.3 & 7.0 OpenSSL vulnerability

Technical and operational updates for all users of JADE, including Jade Source Bulletins
User avatar
Jade Support
Posts: 103
Joined: Mon Aug 17, 2009 10:27 am
Location: Jade Software Corporation, Christchurch

#28 Critical Fix: JADE 6.3 & 7.0 OpenSSL vulnerability

Postby Jade Support » Thu Apr 10, 2014 3:53 pm

This information is relevant to users running JADE 6.3.10 and later, including all 7.0 releases.

A security vulnerability, which could be utilised to provide access to sensitive data, has been identified in the third party OpenSSL libraries used by JADE to encrypt connections between nodes.

The following hot-fixes address this issue and should be applied as soon as possible:
  • 7.0.08.028
    7.0.07.052
    6.3.12.011
    6.3.11.014
    6.3.10.035
It is also recommended that after applying this hot-fix the existing X.509 certificates should be revoked and new ones issued since they may have been compromised.

JADE 6.3.09 and earlier versions are not affected by this.

Details of Hotfixes
The hot-fixes contain a recompilation of the latest OpenSSL 1.0.1g source code suitable for use with JADE.

The SSL libraries are not part of the JADE binaries, therefore changes are not automatically downloaded to thin clients. Therefore the INI file setting [JadeAppServer].DownLoadVersion should be changed on the app server to force the download. Refer to 'Appendix B Upgrading Software on Presentation Clients' in the 'JADE Thin Client Guide' for more information, available here: http://www.jade.co.nz/docs/jade/Default ... lients.htm.

Further information on SSL security in JADE, including handling certificates, can be found in the section 'Secure Sockets Layer (SSL) Security' in 'Chapter 2 JADE Security' of the 'JADE Object Manager Guide', available here: http://www.jade.co.nz/docs/jade/Default ... curity.htm. Revoking and re-issuing X.509 certificates is the responsibility of the system administrator and the process to follow depends on the Certificate Authority used. It is outside the scope of JADE Support. The sample certificates supplied with JADE should never be used in a production environment.


Details of Vulnerability
The vulnerability is known as the 'TLS heartbeat read overrun' (CVE-2014-0160) and further details are available here: If you have any further questions, please contact JADE Support.
Last edited by Jade Support on Thu Apr 10, 2014 3:54 pm, edited 1 time in total.
Reason: Correct bulletin number
Jade Support
Jade Software Corporation Ltd

Email: jadesupport@jadeworld.com
Web: http://www.jadeworld.com

Jade Software – complex business problems solved beautifully.

allistar
Posts: 156
Joined: Fri Aug 14, 2009 11:02 am
Location: Mount Maunganui, Tauranga

Re: #28 Critical Fix: JADE 6.3 & 7.0 OpenSSL vulnerability

Postby allistar » Fri Apr 11, 2014 9:18 am

At this time (9:20am, 11 April 2014) hot fix 14 for 6.3.11 isn't available on PARSYS. Can you please indicate when this will be available for download?

Thanks,
Allistar.

User avatar
Jade Support
Posts: 103
Joined: Mon Aug 17, 2009 10:27 am
Location: Jade Software Corporation, Christchurch

Re: #28 Critical Fix: JADE 6.3 & 7.0 OpenSSL vulnerability

Postby Jade Support » Fri Apr 11, 2014 9:53 am

Hot fix 6.3.11.014 is now available on PARSYS.
Jade Support
Jade Software Corporation Ltd

Email: jadesupport@jadeworld.com
Web: http://www.jadeworld.com

Jade Software – complex business problems solved beautifully.


Return to “Jade Support Bulletins”

Who is online

Users browsing this forum: No registered users and 2 guests