At Rocket Software we are committed to and value product security. Rocket Software continually reviews security compliance policies and trends to strengthen our products. We’ve recently implemented the Rocket Vulnerability Disclosure Program (VDP) as an added measure of vigilance. This program allows us to collaborate with valued researchers to respond to vulnerabilities found in Rocket Software products and resolve them on behalf of our customers.
Recently, Rapid7 Research discovered several vulnerabilities in Rocket UniData 8.2.4 and reported them through the VDP. Rapid7 found vulnerabilities with the UniData UniRPC server (and related services) running on the Linux platform. Due to the nature of the MultiValue applications, Rapid7 believes that widespread exploitation of the vulnerabilities is unlikely; these services tend to be found on the backend and are rarely internet-facing. That being said, the software stack is commonly used by large organizations to store and manage data, so it's possible that these vulnerabilities will be exploited by attackers who have already gained unauthorized access to an organization's network in another way.
Remediation
The Rocket Software MultiValue team reviewed Rapid7’s findings and worked closely with them to identify and resolve the UniRPC security vulnerabilities in UniData 8.2.4. After completing internal testing across the U2 data servers, the MultiValue team also identified and resolved the vulnerabilities in UniVerse 11.3.5 & 12.2.1.
The Rapid7 Vulnerability Disclosure will be posted to the Rapid7 Research blog on March 30, 2023. Please review this blog post and the hotfix release notes for more vulnerability and remediation details.
If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):
· UniData 8.2.4.3003
· UniVerse 11.3.5.1001
UniVerse 12.2.1.2002 (available by April 14, 2023)