At Rocket Software we are committed to and value product security.  Rocket Software continually reviews security compliance policies and trends to strengthen our products. We've  recently implemented the Rocket Vulnerability Disclosure Program (VDP) as an added measure of vigilance.  This program allows us to collaborate with valued researchers to respond to vulnerabilities found in Rocket Software products and resolve them on behalf of our customers.

Recently, Rapid7 Research discovered several vulnerabilities in Rocket UniData 8.2.4 and reported them through the VDP.  Rapid7 found vulnerabilities with the UniData UniRPC server (and related services) running on the Linux platform.  Due to the nature of the MultiValue applications, Rapid7 believes that widespread exploitation of the vulnerabilities is unlikely; these services tend to be found on the backend and are rarely internet-facing.  That being said, the software stack is commonly used by large organizations to store and manage data, so it's possible that these vulnerabilities will be exploited by attackers who have already gained unauthorized access to an organization's network in another way. 

Remediation

The Rocket Software MultiValue team reviewed Rapid7's findings and worked closely with them to identify and resolve the UniRPC security vulnerabilities in UniData 8.2.4.  After completing internal testing across the U2 data servers, the MultiValue team also identified and resolved the vulnerabilities in UniVerse 11.3.5 & 12.2.1. 

The Rapid7 Vulnerability Disclosure will be posted to the Rapid7 Research blog on March 30, 2023.  Please review this blog post and the hotfix release notes for more vulnerability and remediation details.

If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):

·        UniData 8.2.4.3003

·        UniVerse 11.3.5.1001

UniVerse 12.2.1.2002 (available by April 14, 2023)

At Rocket Software we are committed to and value product security.  Rocket Software continually reviews security compliance policies and trends to strengthen our products. We've  recently implemented the Rocket Vulnerability Disclosure Program (VDP) as an added measure of vigilance.  This program allows us to collaborate with valued researchers to respond to vulnerabilities found in Rocket Software products and resolve them on behalf of our customers.

Recently, Rapid7 Research discovered several vulnerabilities in Rocket UniData 8.2.4 and reported them through the VDP.  Rapid7 found vulnerabilities with the UniData UniRPC server (and related services) running on the Linux platform.  Due to the nature of the MultiValue applications, Rapid7 believes that widespread exploitation of the vulnerabilities is unlikely; these services tend to be found on the backend and are rarely internet-facing.  That being said, the software stack is commonly used by large organizations to store and manage data, so it's possible that these vulnerabilities will be exploited by attackers who have already gained unauthorized access to an organization's network in another way. 

Remediation

The Rocket Software MultiValue team reviewed Rapid7's findings and worked closely with them to identify and resolve the UniRPC security vulnerabilities in UniData 8.2.4.  After completing internal testing across the U2 data servers, the MultiValue team also identified and resolved the vulnerabilities in UniVerse 11.3.5 & 12.2.1. 

The Rapid7 Vulnerability Disclosure will be posted to the Rapid7 Research blog on March 30, 2023.  Please review this blog post and the hotfix release notes for more vulnerability and remediation details.

If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):

·        UniData 8.2.4.3003

·        UniVerse 11.3.5.1001

UniVerse 12.2.1.2002 (available by April 14, 2023)

Thanks for posting this @Chris Rizza 

The Rapid7 blog post indicates that Rocket had confirmed that the vulnerability affected both "UniVerse 11.3.5 (and earlier)" and "UniVerse 12.2.1 (and earlier)".

There was no explicit mention of UniVerse 11.2.x versions as being affected.

Is that because it falls under the "11.3.5 and earlier" category (so it IS affected), or it has been checked and is not vulnerable?

Good morning Christine,

Is there a hotfix for UniVerse versions?  If yes, which versions are covered?  If no, is one planned and, again, which versions will be covered?

Thanks,

Hi Tyrel,

Yes, there are hotfixes:

If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):

• UniData 8.2.4.3003
• UniVerse 11.3.5.1001
• UniVerse 12.2.1.2002 (available by April 14, 2023)

Hi Tyrel,

Yes, there are hotfixes:

If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):

• UniData 8.2.4.3003
• UniVerse 11.3.5.1001
• UniVerse 12.2.1.2002 (available by April 14, 2023)

Thank you Chris,

Just to be clear, the UniVerse 11.3.5.1001 hotfix will work for a site running 11.3.2.7003?  Or do they need to upgrade to 11.3.5 and then apply the hotfix?

The simplist way is to check in the port.note file in the $UDTBIN directory the version number is at the end of the UniData Release (see below)

Platform         : AIX 7.1 - 64bit
Operating System : AIX dendevmvasbld03 1 7 00FA6E984C00 7100-05-03-1837
Porting Date     : Thu Sep 22 00:39:36 EDT 2022
UniData Release  : 8.2.4 82_220921_3001
Ported by        : svnsrc
Compilers Used   : IBM XL C/C++ for AIX, V10.1
                   Version: 10.01.0000.0008
Revision         : 2338869

So the example machine is running 8.2.4.3001

Hi Tyrel,

The 11.3.5.1001 hotfix release is a full release. No need to install 11.3.5 first.

Thanks,

Neil

The simplist way is to check in the port.note file in the $UDTBIN directory the version number is at the end of the UniData Release (see below)

Platform         : AIX 7.1 - 64bit
Operating System : AIX dendevmvasbld03 1 7 00FA6E984C00 7100-05-03-1837
Porting Date     : Thu Sep 22 00:39:36 EDT 2022
UniData Release  : 8.2.4 82_220921_3001
Ported by        : svnsrc
Compilers Used   : IBM XL C/C++ for AIX, V10.1
                   Version: 10.01.0000.0008
Revision         : 2338869

So the example machine is running 8.2.4.3001

At Rocket Software we are committed to and value product security.  Rocket Software continually reviews security compliance policies and trends to strengthen our products. We've  recently implemented the Rocket Vulnerability Disclosure Program (VDP) as an added measure of vigilance.  This program allows us to collaborate with valued researchers to respond to vulnerabilities found in Rocket Software products and resolve them on behalf of our customers.

Recently, Rapid7 Research discovered several vulnerabilities in Rocket UniData 8.2.4 and reported them through the VDP.  Rapid7 found vulnerabilities with the UniData UniRPC server (and related services) running on the Linux platform.  Due to the nature of the MultiValue applications, Rapid7 believes that widespread exploitation of the vulnerabilities is unlikely; these services tend to be found on the backend and are rarely internet-facing.  That being said, the software stack is commonly used by large organizations to store and manage data, so it's possible that these vulnerabilities will be exploited by attackers who have already gained unauthorized access to an organization's network in another way. 

Remediation

The Rocket Software MultiValue team reviewed Rapid7's findings and worked closely with them to identify and resolve the UniRPC security vulnerabilities in UniData 8.2.4.  After completing internal testing across the U2 data servers, the MultiValue team also identified and resolved the vulnerabilities in UniVerse 11.3.5 & 12.2.1. 

The Rapid7 Vulnerability Disclosure will be posted to the Rapid7 Research blog on March 30, 2023.  Please review this blog post and the hotfix release notes for more vulnerability and remediation details.

If you are running Rocket UniData or Rocket UniVerse, regardless of the version, we strongly advise you to upgrade to the latest hotfixes, available on Rocket Business Connect (rbc.rocketsoftware.com):

·        UniData 8.2.4.3003

·        UniVerse 11.3.5.1001

UniVerse 12.2.1.2002 (available by April 14, 2023)

Hi Chris,

Can you clarify please whether or not the vulnerability exists for Universe running on AIX 7.1 and/or AIX 7.2?

Although Rapid7 found the vulnerabilities while looking on a Linux installation the vulnerabilities exist on all platforms.

Jonathan,

I think you mean all UNIX/Linux platforms, right?  Or has Rocket discovered that the vulnerabilities extend to Windows? 

Rapid7:  We verified that these issues do not affect the Windows version, as the networking stack appears to be different.

I'm not trying to be overly pedantic; we've been planning based on the Rapid7 blog post.

Thanks,

Tyrel,

Apologies I should have been 100% clear. As Rapid 7 stated the network stack is different on Windows so the vulnerabilites do not affect Windows.  However the code changes we made to prevent the vulnerabilites were also made in the Windows version of UniVerse and UniData.  So it would seem prudent for Windows users to also upgrade and that is what we are recommending customers to do..

Thanks,