Recently a new vulnerability in OpenSSL, a software library used by many server-based applications as well as consumer websites for encrypted communication, was reported. This vulnerability can permit a “man-in-the-middle” attack to decrypt and modify SSL traffic. Upon learning of this issue with OpenSSL, Notable Solutions reviewed all products in our portfolio which interact with OpenSSL to determine if any were subject to this vulnerability. The balance of this article details what we discovered in our analysis and what actions have been taken to remedy this matter.
Four components of AutoStore versions 5 and 6 were subject to this vulnerability:
1. Ricoh ESA capture component
2. AutoCapture
3. QuickCapture Pro
4. Bates Stamp Server
Updates which correct this issue are now available via the AutoStore Software Update service. Please reference the appropriate AutoStore Framework for your configuration as well as the appropriate client update for any of the above referenced components. Once downloaded, please follow the included instructions for installation procedure.
On a practical level, it is important to note that most AutoStore environments are not in practice vulnerable to this issue since AutoStore typically runs on private networks. In other words, the intrusion would have to take place from within a customer’s network for this vulnerability to be exploited.
Please contact Notable Solutions support at support@notablesolutions.com if you have additional questions, require assistance with applying the updates or need help verifying that updates installed successfully.
For reference a Knowledge Base article featuring an FAQ as well as the information in this announcement can be found at: http://kb.notablesolutions.com/pages/viewpage.action?pageId=15008324 . Details on the OpenSSL vulnerability can identified by the identifier “CVE-2014-0224” at: http://www.openssl.org/news/secadv_20140605.txt