U2 Security Bulletin - Impact of OpenSSL Vulnerability CVE-2022-0778 in Rocket U2 Products

June 28, 2022

The Rocket MultiValue U2 team has evaluated the OpenSSL infinite loop vulnerability (CVE-2022-0778) since U2 products incorporate OpenSSL. OpenSSL versions prior to 1.0.2zd, 1.1.1n and 3.0.2 are susceptible to this vulnerability.

This vulnerability could cause the OpenSSL library to enter an infinite loop while parsing an invalid certificate creating the possibility for a Denial-of-Service (DoS) attack on the impacted Rocket U2 products. An attacker does not need a verified certificate to exploit this vulnerability as parsing a bad certificate would trigger the infinite loop before the verification process is completed.

Impact to U2

UniVerse, UniData and U2 Common Clients are impacted by this vulnerability as they use OpenSSL versions prior to 1.0.2zd, 1.1.1n and 3.0.2.

• All versions and builds of UniVerse
• All versions and builds of UniData
• All versions and builds of U2 Common Clients.

Solution

OpenSSL software foundation fixed this vulnerability in OpenSSL 1.0.2zd,1.1.1n and 3.0.2.

Because OpenSSL 1.0.2 reached the EOL stage at the end of 2019, we have no plan to upgrade older versions of UniVerse, UniData and U2 Common Client that use OpenSSL 1.0.2. Our plan is to upgrade the versions of UniVerse, UniData and U2 Common Client using OpenSSL 1.1.1 to 1.1.1n.

We highly recommend that customers using UniVerse 11.3.1 and earlier or UniData 8.2.1 and earlier upgrade to the latest versions to benefit from the fixes.

If you’re running UniVerse or UniData, please plan an upgrade! If your maintenance contract is current, please visit RBC to download the fixed version. If your maintenance contract has lapsed, please contact your Rocket sales rep and we’ll help you get current.