Reset Search
 

 

Article

JSA10396 - Pulse Connect Secure (PCS) and Pulse Policy Secure (PPS) - OpenSSL - Incorrect checks for malformed signatures on DSA and ECDSA keys used with SSL/TLS on backend servers. CVE-2008-5077.

« Go Back

Information

 
Product AffectedSA 500, SA 700, SA 1000, SA 2000, SA 2500, SA 3000, SA 4000, SA 4500, SA 5000, SA 6000, SA 6500, IC4000, IC4500, IC6000, IC6500
Problem
Several functions inside OpenSSL incorrectly checked the result after calling the EVP_VerifyFinal function, allowing a malformed signature to be treated as a good signature rather than as an error. The issue can only occur when the PCS or PPS acts as an SSL client, which happens only when it communicates through the internal port with a backend web or ldaps server.

The issue above could only occur from the internal port of the PCS or PPS to the backend server.
Solution
Upgrade is recommended to the following or later releases:

PCS:
6.0R10
6.1R7
6.2R4
6.3R3

PPS:
2.2R4
Workaround
Implementation
Related Links
CVSS Score
Risk AssessmentThe issue could only occur from the internal port of the PCS or PPS to the backend server. This issue will only affect the signature checks on DSA and ECDSA keys used with SSL/TLS to the backend server.
Acknowledgements
Alert TypePSN - Product Support Notification
Risk LevelLow
Attachment 1 
Attachment 2 
Legacy IDPSN-2009-02-213, JSA10396

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255