Original Message:
Sent: 3/30/2023 10:59:00 AM
From: Jonathan Smith
Subject: RE: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment
The simplist way is to check in the port.note file in the $UDTBIN directory the version number is at the end of the UniData Release (see below)
Platform : AIX 7.1 - 64bit
Operating System : AIX dendevmvasbld03 1 7 00FA6E984C00 7100-05-03-1837
Porting Date : Thu Sep 22 00:39:36 EDT 2022
UniData Release : 8.2.4 82_220921_3001
Ported by : svnsrc
Compilers Used : IBM XL C/C++ for AIX, V10.1
Version: 10.01.0000.0008
Revision : 2338869
So the example machine is running 8.2.4.3001
------------------------------
Jonathan Smith
UniData ATS
Rocket Support
------------------------------
Original Message:
Sent: 03-30-2023 10:39
From: Thomas VanKirk
Subject: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment
How do we know what UniData version we are on? 8.2.4.3003, it's the 3003 part I am asking about.
Original Message:
Sent: 3/30/2023 10:27:00 AM
From: Chris Rizza
Subject: RE: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment
Hi Tyrel,
Yes, there are hotfixes:
If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):
- UniData 8.2.4.3003
- UniVerse 11.3.5.1001
- UniVerse 12.2.1.2002 (available by April 14, 2023)
------------------------------
Christine Rizza
Sr. MV Product Manager
Rocket Software
crizza@rocketsoftware.com
Original Message:
Sent: 03-30-2023 10:12
From: Tyrel Marak
Subject: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment
Good morning Christine,
Is there a hotfix for UniVerse versions? If yes, which versions are covered? If no, is one planned and, again, which versions will be covered?
Thanks,
------------------------------
Tyrel Marak
Technical Support Manager
Aptron Corporation
Florham Park NJ US
Original Message:
Sent: 03-29-2023 14:58
From: Chris Rizza
Subject: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment
At Rocket Software we are committed to and value product security. Rocket Software continually reviews security compliance policies and trends to strengthen our products. We've recently implemented the Rocket Vulnerability Disclosure Program (VDP) as an added measure of vigilance. This program allows us to collaborate with valued researchers to respond to vulnerabilities found in Rocket Software products and resolve them on behalf of our customers.
Recently, Rapid7 Research discovered several vulnerabilities in Rocket UniData 8.2.4 and reported them through the VDP. Rapid7 found vulnerabilities with the UniData UniRPC server (and related services) running on the Linux platform. Due to the nature of the MultiValue applications, Rapid7 believes that widespread exploitation of the vulnerabilities is unlikely; these services tend to be found on the backend and are rarely internet-facing. That being said, the software stack is commonly used by large organizations to store and manage data, so it's possible that these vulnerabilities will be exploited by attackers who have already gained unauthorized access to an organization's network in another way.
Remediation
The Rocket Software MultiValue team reviewed Rapid7's findings and worked closely with them to identify and resolve the UniRPC security vulnerabilities in UniData 8.2.4. After completing internal testing across the U2 data servers, the MultiValue team also identified and resolved the vulnerabilities in UniVerse 11.3.5 & 12.2.1.
The Rapid7 Vulnerability Disclosure will be posted to the Rapid7 Research blog on March 30, 2023. Please review this blog post and the hotfix release notes for more vulnerability and remediation details.
If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):
· UniData 8.2.4.3003
· UniVerse 11.3.5.1001
UniVerse 12.2.1.2002 (available by April 14, 2023)
------------------------------
Christine Rizza
Sr. MV Product Manager
Rocket Software
crizza@rocketsoftware.com
------------------------------