A vulnerability in SSL 1.1.1 has been recently reported. Since we do use SSL in our products we would like to inform you of the impact it has on the security of AIMMS and PRO platform.
What are the vulnerabilities?
The actual vulnerabilities are mentioned in this article: https://www.openssl.org/news/openssl-1.1.1-notes.html, under “Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]”
They are explained here in detail:
- https://nvd.nist.gov/vuln/detail/CVE-2023-0286 [high 7.4]
- https://nvd.nist.gov/vuln/detail/CVE-2023-0215 [high 7.5]
- https://nvd.nist.gov/vuln/detail/CVE-2022-4450 [high 7.5]
- https://nvd.nist.gov/vuln/detail/CVE-2022-4304 [medium 5.9]
Where do we use OpenSSL 1.1.1h in our software?
Application of OpenSSL 1.1.1
PRO on Cloud
does not use OpenSSL libraries
uses OpenSSL 1.1.1h for downloading autolibs and for traffic from/to the portal in case the admin has enabled SSL
HTTP Client Library
uses OpenSSL 1.1.1h to connect to https sites
uses OpenSSL 1.1.1h for REST client on Linux (so also on our cloud), not on Windows
What is the impact?
The first 3 of the described vulnerabilities do not affect the AIMMS software. This is because in our case SSL is not used in the specific way required for them to surface.
The last exploit requires the attacker to already be on the local network where PRO on premise is and send a huge amount of network traffic, like executing command for example.
Based on this analysis we consider the probability of exploitation of this vulnerability on PRO On-Premise low.
The client applications (DEX/HTTPLib) are not affected at all.
What is the longer term remediation?
Longer term we intend to use dynamic libraries that we retrieve from the OS, rather than including them ‘statically’ in our code. This will put the customers of our on-premise products in control.