Rocket U2 | UniVerse & UniData

 View Only
Expand all | Collapse all

UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment

  • 1.  UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment

    ROCKETEER
    Posted 03-29-2023 14:59

    At Rocket Software we are committed to and value product security.  Rocket Software continually reviews security compliance policies and trends to strengthen our products. We've  recently implemented the Rocket Vulnerability Disclosure Program (VDP) as an added measure of vigilance.  This program allows us to collaborate with valued researchers to respond to vulnerabilities found in Rocket Software products and resolve them on behalf of our customers.

    Recently, Rapid7 Research discovered several vulnerabilities in Rocket UniData 8.2.4 and reported them through the VDP.  Rapid7 found vulnerabilities with the UniData UniRPC server (and related services) running on the Linux platform.  Due to the nature of the MultiValue applications, Rapid7 believes that widespread exploitation of the vulnerabilities is unlikely; these services tend to be found on the backend and are rarely internet-facing.  That being said, the software stack is commonly used by large organizations to store and manage data, so it's possible that these vulnerabilities will be exploited by attackers who have already gained unauthorized access to an organization's network in another way. 

    Remediation

    The Rocket Software MultiValue team reviewed Rapid7's findings and worked closely with them to identify and resolve the UniRPC security vulnerabilities in UniData 8.2.4.  After completing internal testing across the U2 data servers, the MultiValue team also identified and resolved the vulnerabilities in UniVerse 11.3.5 & 12.2.1. 

    The Rapid7 Vulnerability Disclosure will be posted to the Rapid7 Research blog on March 30, 2023.  Please review this blog post and the hotfix release notes for more vulnerability and remediation details.

    If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):

    ·        UniData 8.2.4.3003

    ·        UniVerse 11.3.5.1001

    UniVerse 12.2.1.2002 (available by April 14, 2023)



    ------------------------------
    Christine Rizza
    Sr. MV Product Manager
    Rocket Software
    crizza@rocketsoftware.com
    ------------------------------


  • 2.  RE: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment

    PARTNER
    Posted 03-30-2023 02:05

    Thanks for posting this @Christine Rizza 

    The Rapid7 blog post indicates that Rocket had confirmed that the vulnerability affected both "UniVerse 11.3.5 (and earlier)" and "UniVerse 12.2.1 (and earlier)".

    There was no explicit mention of UniVerse 11.2.x versions as being affected.

    Is that because it falls under the "11.3.5 and earlier" category (so it IS affected), or it has been checked and is not vulnerable?



    ------------------------------
    Gregor Scott
    Software Architect
    Pentana Solutions Pty Ltd
    Mount Waverley VIC AU
    ------------------------------



  • 3.  RE: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment

    ROCKETEER
    Posted 03-30-2023 10:25

    Gregor,

    Although the vulnerabilities were found by Rapid7 by checking UniData 8.2.4, we tested and fixed them in UniVerse 11.3.5 and 12.2.1.  We expect the vulnerabilities also exist in all the EOM 11.2 versions.  Note that all versions of UV 11.2 will be EOS/EOLS in September 2023.  We only tested and fixed against the current GA versions of UniVerse which is in line with the Rocket MV Product Lifecycle Status Policy.  In the Rocket announcement we do strongly advise customers to upgrade to the hotfixes regardless of the version they are running.



    ------------------------------
    Christine Rizza
    Sr. MV Product Manager
    Rocket Software
    crizza@rocketsoftware.com
    ------------------------------



  • 4.  RE: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment

    PARTNER
    Posted 03-30-2023 10:12

    Good morning Christine,

    Is there a hotfix for UniVerse versions?  If yes, which versions are covered?  If no, is one planned and, again, which versions will be covered?

    Thanks,



    ------------------------------
    Tyrel Marak
    Technical Support Manager
    Aptron Corporation
    Florham Park NJ US
    ------------------------------



  • 5.  RE: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment

    ROCKETEER
    Posted 03-30-2023 10:27

    Hi Tyrel,

    Yes, there are hotfixes:

    If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):

    • UniData 8.2.4.3003
    • UniVerse 11.3.5.1001
    • UniVerse 12.2.1.2002 (available by April 14, 2023)


    ------------------------------
    Christine Rizza
    Sr. MV Product Manager
    Rocket Software
    crizza@rocketsoftware.com
    ------------------------------



  • 6.  RE: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment

    Posted 03-30-2023 10:39
    How do we know what UniData version we are on? 8.2.4.3003, it’s the 3003 part I am asking about.




  • 7.  RE: UniData/UniVerse Vulnerabilities Discovered by 3rd Party Researcher -Rocket Software's Security Commitment