Skip to main content

openssl included in Microfocus COBOL Server 8.0 Patch Update 8.0 is out of date and has vulnerabilities, what is the next available patch?

  • May 16, 2024
  • 3 replies
  • 0 views
D

Hi 

What is the next available patch update for Microfocus COBOL Server 8.0  that will update the security vulnerability of the openssl included.

Current installed:

cobol v8.0.0
PRN=K1CRH/AAK:Ao.U4.13.04
PTI=32/64 bit
PTI=Micro Focus COBOL Server 8.0 - Patch Update 08
PTI=Patch Update 08
PTI=pkg_324515
PTI=MFInstaller

Scan vulnerability:
Path : /opt/microfocus/VisualCOBOL/bin/openssl
Reported version : 1.1.1t
Fixed version : 1.1.1x

Thanks,
Aldous

    3 replies

    Chris Glazier
    Forum|alt.badge.img+2
    • Chris GlazierModerator
    • Moderator
    • 3697 replies
    • May 16, 2024

    Hi 

    What is the next available patch update for Microfocus COBOL Server 8.0  that will update the security vulnerability of the openssl included.

    Current installed:

    cobol v8.0.0
    PRN=K1CRH/AAK:Ao.U4.13.04
    PTI=32/64 bit
    PTI=Micro Focus COBOL Server 8.0 - Patch Update 08
    PTI=Patch Update 08
    PTI=pkg_324515
    PTI=MFInstaller

    Scan vulnerability:
    Path : /opt/microfocus/VisualCOBOL/bin/openssl
    Reported version : 1.1.1t
    Fixed version : 1.1.1x

    Thanks,
    Aldous

    Do you happen to know which CVE vulnerability is being reported?

    According to the knowledgebase article here if it is OpenSSL CVE-2023-5678, then this is considered to be a false positive.
    If you are not using openssl then you could simply remove it from the product to avoid the reported vulnerability.

    The new version of openssl is available in V9.0 PU6 and later but it may be in earlier versions too. You should probably open up a support ticket to get a definitive answer on this.

    Thanks.

    D
    • Dominique SacreRocketeer
    • Author
    • Rocketeer
    • 19312 replies
    • May 17, 2024

    Do you happen to know which CVE vulnerability is being reported?

    According to the knowledgebase article here if it is OpenSSL CVE-2023-5678, then this is considered to be a false positive.
    If you are not using openssl then you could simply remove it from the product to avoid the reported vulnerability.

    The new version of openssl is available in V9.0 PU6 and later but it may be in earlier versions too. You should probably open up a support ticket to get a definitive answer on this.

    Thanks.

    Appreciate the update Chris. Yes,  that is the latest CVE-2023-5678 our scans are reporting. 

    Here are the other CVE also being reported related to this,  CVE-2023-0466 , CVE-2023-3817 .    


    Thanks,
    Aldous

    Chris Glazier
    Forum|alt.badge.img+2
    • Chris GlazierModerator
    • Moderator
    • 3697 replies
    • May 17, 2024

    Appreciate the update Chris. Yes,  that is the latest CVE-2023-5678 our scans are reporting. 

    Here are the other CVE also being reported related to this,  CVE-2023-0466 , CVE-2023-3817 .    


    Thanks,
    Aldous

    I do not see those other CVE's as being reported.

    Please open up a case with technical support and they will research this further.

    Thanks


    Terms & ConditionsAccessibility statement