Summary
Some Appeon customers have raised concern over the following security vulnerabilities relating to OpenSSL:
CVE-2022-3786 and CVE-2022-3602
CVE-2022-2068 and CVE-2022-2097
Appeon has promptly launched an investigation. This Security Bulletin summarizes the results of our investigation to date.
OpenSSL versions used by Appeon products
Of all the Appeon products, only PowerBuilder contains OpenSSL. The reason OpenSSL is included is that PowerBuilder contains SVN and Curl libraries that have dependency on it. For avoidance of doubt, Git libraries do not have such dependency on OpenSSL.
The version of OpenSSL included in PowerBuilder is dictated by the version of SVN and Curl libraries that are used, and it is not feasible for Appeon to independently upgrade the OpenSSL version:
PowerBuilder 2022 contains OpenSSL 1.1.1i for supporting SVN 1.14.1, and OpenSSL 1.1.1q for supporting Curl 7.76.1.
PowerBuilder 2019 R3 – 2021 contains OpenSSL 1.0.21 for supporting older versions of SVN, and OpenSSL 1.1.1g for supporting older versions of Curl.
PowerBuilder 2017 R3 – 2019 R2 contains OpenSSL 1.0.21 for supporting older versions of SVN.
Appeon does not investigate or provide security fixes for EOL versions. If you are using PowerBuilder 2017 R2 or older, you also may be affected.
The execution of the OpenSSL libraries occurs when the following functionality in the PowerBuilder IDE is used:
SVN libraries are in the product to enable source control functionality within the IDE for SVN. If you are using other source control functionality within the IDE (e.g. Git) or not using source control at all, the SVN libraries are not used.
Curl libraries are in the product to enable the integrated FTP deployment option for PowerClient/PowerServer projects. If you are deploying your PowerClient/PowerServer project using an external FTP client or other means to transfer the app files to your server, the Curl libraries are not used.
Appeon products affected by the CVEs?
CVE-2022-3786 and CVE-2022-3602
As the OpenSSL blog explains, these two vulnerabilities CVE-2022-3786 and CVE-2022-3602 (X.509 Email Address Buffer Overflows) were introduced as part of punycode decoding functionality (currently only used for processing email address name constraints in X.509 certificates). This code was first introduced in OpenSSL 3.0.0. OpenSSL 1.0.2, 1.1.1, and other earlier versions are not affected.
Since none of Appeon products (PowerBuilder, PowerServer, InfoMaker, and so on) use the OpenSSL 3.0.0 libraries, Appeon products are not affected.
CVE-2022-2068 and CVE-2022-2097
The OpenSSL versions that contain the fix for CVE-2022-2068 (c_rehash script does not properly sanitize shell metacharacters to prevent command injection were found by code review) include:
OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)
OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o)
OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)
The OpenSSL versions that contain the fix for CVE-2022-2097 (AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation will not encrypt the entirety of the data under some circumstances) include:
OpenSSL 3.0.5 (Affected 3.0.0-3.0.4)
OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p)
Based on the above information, according to the OpenSSL versions used by Appeon products,
The SVN source control functionality within the IDE of PowerBuilder 2022 may be affected by CVE-2022-2068 (Git source control is NOT affected).
The SVN source control functionality within the IDE of PowerBuilder 2017 R3 - 2021 may be affected by both CVE-2022-2068 and CVE-2022-2097 (Git source control is NOT affected).
The Curl libraries used in the supported PowerBuilder versions are not affected by these CVEs.
The PowerBuilder runtime in the supported PowerBuilder versions are not affected by these CVEs.
What you can do?
Temporarily refrain from using the SVN source control functionality directly in the IDE. Instead, use the TortoiseSVN client to version control your PowerBuilder project outside of the IDE.
Alternatively, consider using a VPN to establish network connection between your developer machine and the SVN server.
Then follow your company's security policies and procedures to ensure your IT systems have not been compromised.
What Appeon will do?
Appeon has reported the OpenSSL CVEs to subversion.apache.org and requested them to upgrade the OpenSSL versions used by their product. Once an updated version is available, Appeon will work diligently to incorporate the update into PowerBuilder.
Questions?
If any questions regarding this security bulletin, please open a support ticket on the Appeon website:/standardsupport/newbug.
Last updated: November 11, 2022