Issue
OpenSSL issued a security advisory on March 1, 2016. This advisory covers a number of issues, the most significant of which is commonly referred to as DROWN. The full text of this advisory is at http://openssl.org/news/secadv/20160301.txt
Affected Products
All versions of Alpha Five and Alpha Anywhere released prior to March 3, 2016 are affected as they use an OpenSSL release with the vulnerabilities discussed in the security advisory.
Remediation - Customer Action Required
Along with this advisory, OpenSSL 1.0.2g was released to address these problems. OpenSSL 1.0.2g is now included with Alpha Anywhere and the Alpha Anywhere Application Server pre-releases as of March 3, 2016.
While there is no way we could have anticipated these third party, industry-wide security vulnerabilities, we have taken immediate action to ensure that Alpha Anywhere subscribers with up-to-date licenses are covered. To that end, we have issued a new pre-release build of Alpha Anywhere that is patched with Open SSL 1.0.2g. Subscribers with an up-to-date license are now able to download and install this build which will automatically address all known security issues.
Additionally, for subscribers who do not wish to install a pre-release build, we have made the security patch available for download separately. These DLL files are also compatible with Alpha Five v11 applications that our users are still running but do not wish to upgrade to a new server. These DLLs are compatible with Alpha Anywhere and Alpha Five v11 only. To request these files, email [email protected].
Special note for users still running applications on Alpha Five v10 and earlier versions
If you still have legacy applications running on Alpha Five v10 or earlier versions, it is STRONGLY advised that you upgrade at least their Application Servers to Alpha Anywhere as soon as possible. Alpha Five v10 and earlier versions are vulnerable to a number of exploits and no security updates will be available.
The OpenSSL updates we are providing are NOT compatible with Alpha Five versions earlier than v11. At that time, Alpha Five and the Application Server used the 0.9.8 tree of OpenSSL. The newer 1.0.1 and 1.0.2 DLLs will not work in these older versions of Alpha. Furthermore, OpenSSL set the "end of life" for 0.9.8 as December 31, 2015 and no further updates will be released. This means there is no way to secure v10 and prior against these newer exploits.
It is STRONGLY advised that users still running Alpha Five v10 or earlier versions upgrade at least their Application Servers to Alpha Anywhere as soon as possible.
OpenSSL issued a security advisory on March 1, 2016. This advisory covers a number of issues, the most significant of which is commonly referred to as DROWN. The full text of this advisory is at http://openssl.org/news/secadv/20160301.txt
Affected Products
All versions of Alpha Five and Alpha Anywhere released prior to March 3, 2016 are affected as they use an OpenSSL release with the vulnerabilities discussed in the security advisory.
Remediation - Customer Action Required
Along with this advisory, OpenSSL 1.0.2g was released to address these problems. OpenSSL 1.0.2g is now included with Alpha Anywhere and the Alpha Anywhere Application Server pre-releases as of March 3, 2016.
While there is no way we could have anticipated these third party, industry-wide security vulnerabilities, we have taken immediate action to ensure that Alpha Anywhere subscribers with up-to-date licenses are covered. To that end, we have issued a new pre-release build of Alpha Anywhere that is patched with Open SSL 1.0.2g. Subscribers with an up-to-date license are now able to download and install this build which will automatically address all known security issues.
Additionally, for subscribers who do not wish to install a pre-release build, we have made the security patch available for download separately. These DLL files are also compatible with Alpha Five v11 applications that our users are still running but do not wish to upgrade to a new server. These DLLs are compatible with Alpha Anywhere and Alpha Five v11 only. To request these files, email [email protected].
Special note for users still running applications on Alpha Five v10 and earlier versions
If you still have legacy applications running on Alpha Five v10 or earlier versions, it is STRONGLY advised that you upgrade at least their Application Servers to Alpha Anywhere as soon as possible. Alpha Five v10 and earlier versions are vulnerable to a number of exploits and no security updates will be available.
The OpenSSL updates we are providing are NOT compatible with Alpha Five versions earlier than v11. At that time, Alpha Five and the Application Server used the 0.9.8 tree of OpenSSL. The newer 1.0.1 and 1.0.2 DLLs will not work in these older versions of Alpha. Furthermore, OpenSSL set the "end of life" for 0.9.8 as December 31, 2015 and no further updates will be released. This means there is no way to secure v10 and prior against these newer exploits.
It is STRONGLY advised that users still running Alpha Five v10 or earlier versions upgrade at least their Application Servers to Alpha Anywhere as soon as possible.
Comment