Advanced Authentication( Strong Authentication and Risk Authentication ) advisory for Progress DataDirect Vulnerability
search cancel

Advanced Authentication( Strong Authentication and Risk Authentication ) advisory for Progress DataDirect Vulnerability

book

Article ID: 270401

calendar_today

Updated On:

Products

CA Advanced Authentication CA Strong Authentication CA Risk Authentication

Issue/Introduction

The purpose of this advisory is to inform you of a potential problem that has been recently identified affecting the Symantec Advanced Authentication product due to vulnerabilities reported in “Progress DataDirect ODBC drivers”. Please refer to the information provided below and please follow the instructions to avoid being impacted by this problem.

Environment

Release : 9.1, 9.1.01 (aka SP1), 9.1.02 (aka SP2), 9.1.03 (aka SP3), 9.1.04 (aka SP4)

Symantec Strong Authentication

Symantec Risk Authentication

Database : Oracle

Cause

Progress Software Data Direct ODBC Drivers has reported following vulnerabilities 

Resolution

Progress Software has upgraded the DataDirect ODBC driver to address the reported security vulnerabilities. The Symantec Advanced Authentication product team is working on a patch to replace the vulnerable DataDirect ODBC driver with the patched driver for all affected versions. The Symantec Advanced Authentication patch for versions 9.1, 9.1.01, 9.1.02, 9.1.03, and 9.1.04 is expected to be released by August 4th, 2023 and will be available for all Symantec Advanced Authentication customers.

Impact: 

Symantec Advanced Authentication embeds these drivers hence the product is impacted by this vulnerability.

Solution:

Progress Data Direct has addressed the reported security vulnerabilities, which requires upgrading the Data Direct driver version. The Symantec Advanced Authentication product team is working on a patch by upgrading to a patched version of Data Direct ODBC Driver. The Symantec Advanced Authentication patches for Symantec Advanced Authentication versions 9.1, 9.1.01 (SP1), 9.1.02 (SP2), 9.1.03 (SP3) and 9.1.04 (SP4)  are being created. These patches will address the reported vulnerabilities discussed in this article and will be released by August 4th 2023 and will be available to Symantec Advanced  Authentication customers.

What You Should Do:

Please check the availability of the patch on the download section of the Broadcom support website https://support.broadcom.com/. We encourage all our customers to download and apply the patch once available. This knowledge base article can be used as a reference to download the patches once available.

Broadcom Software customers may receive product alerts and advisories by subscribing to Proactive Notifications.

If you have questions, please contact Broadcom Support https://support.broadcom.com/

Note:

Progress DataDirect Driver is vulnerable for Oracle and not for MS SQL server. We will release both the drivers to maintain the same version but MS SQL is not impacted by this.

Additional Information

ODBC Version with Patch Installation:
The version of ODBC that will be installed with this patch are specifically:

  • For Oracle DataDirect ODBC drivers version 08.02.2770
  • For SQL DataDirect ODBC drivers version 08.02.1222

Compatibility Matrix for the Driver:
Additionally, has there been any alteration in the compatibility matrix for these drivers due to the patch? To elaborate, has the patch impacted the compatibility with different systems or configurations? It's important to note that maintaining compatibility is crucial for seamless operations. The patch is backword compatible.