Oracle Key Manager
 

PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
 

In this Document

Goal

Solution

Applies to:

Goal

 What security vulnerabilities (CVE's) are included in Oracle Key Manager 2.5.3?

Solution

OKM 2.5.3 includes OpenSSL 0.9.8za. This version of OpenSSL resolves the Common Vulnerabilities and Exposures (CVEs) listed below:

CVES ADDRESSED IN OPENSSL THAT IS IN THIS RELEASE

CVE-2010-5298 - SSL_MODE_RELEASE_BUFFERS session injection or denial of service
CVE-2014-0076 - Fix for the attack described in the paper “Recovering OpenSSL ECDSA Nonces using the FLUSH_RELOAD Cache Side-channel Attack”
CVE-2014-0195 - DTLS invalid fragment vulnerability
CVE-2014-0198 - SSL_MODE_RELEASE_BUFFERS Null pointer dereference
CVE-2014-0221 - DTLS recursion flaw
CVE-2014-0224 - SSL/TLS Man-in-the-Middle vulnerability
CVE-2014-3470 - Anonymous ECDH denial of service

OKM 2.5.3 includes fixes for a GNU Bash bug commonly referred to as “Shellshock”. These fixes resolve the CVEs listed below:

CVES ADDRESSED IN GNU BASH FIXES THAT ARE IN THIS RELEASE

CVE-2010-6271 - GNU Bash processes trailing strings after function definitions in the values of environment variables
CVE-2014-6277 - GNU Bash does not properly parse function definitions in the values of environment variables
CVE-2014-6278 - GNU Bash does not properly parse function definitions in the values of environment variables
CVE-2014-7169 - GNU Bash processes trailing strings after certain malformed function definitions in the values of environment variables
CVE-2014-7186 - The redirection implementation in parse.y allows remote attacked to cause denial of service or other impact
CVE-2014-7187 - Off-by-one error in the read_token_word function in parse.y

Please refer to the following document for instructions on downloading Oracle Key Manager software:

How to download Oracle Key Manager gui and firmware software (Doc ID 1369030.1)

This solution has no attachment