Skip to main content

A vulnerability in SSL 1.1.1 has been recently reported. Since we do use SSL in our products we would like to inform you of the impact it has on the security of AIMMS and PRO platform.

 

What are the vulnerabilities?

The actual vulnerabilities are mentioned in this article: https://www.openssl.org/news/openssl-1.1.1-notes.html, under “Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t 17 Feb 2023]

They are explained here in detail:

  1. https://nvd.nist.gov/vuln/detail/CVE-2023-0286
  2. https://nvd.nist.gov/vuln/detail/CVE-2023-0215
  3. https://nvd.nist.gov/vuln/detail/CVE-2022-4450
  4. https://nvd.nist.gov/vuln/detail/CVE-2022-4304

 

Where do we use OpenSSL 1.1.1h in our software?

Product

Application of OpenSSL 1.1.1

PRO on Cloud

does not use OpenSSL libraries

PRO on-premise

uses OpenSSL 1.1.1h for downloading autolibs and for traffic from/to the portal in case the admin has enabled SSL

HTTP Client Library

uses OpenSSL 1.1.1h to connect to https sites

DEX

uses OpenSSL 1.1.1h for REST client on Linux (so also on our cloud), not on Windows

 

What is the impact?

The first 3 of the described vulnerabilities do not affect the AIMMS software. This is because in our case SSL is not used in the specific way required for them to surface.

The last exploit requires the attacker to already be on the local network where PRO on premise is and send a huge amount of network traffic, like executing command for example.

Based on this analysis we consider the probability of exploitation of this vulnerability on PRO On-Premise low.  

The client applications (DEX/HTTPLib) are not affected at all.

 

What is the longer term remediation?

Longer term we intend to use dynamic libraries that we retrieve from the OS, rather than including them ‘statically’ in our code. This will put the customers of our on-premise products in control.

 

Be the first to reply!

Reply


Didn't find what you were looking for? Try searching on our documentation pages:

AIMMS Developer & PRO | AIMMS How-To | AIMMS SC Navigator