Services
& Support

Support Alerts 2013


July 31, 2013 – InterSystems Security Notification

InterSystems has corrected a security vulnerability in Caché, Ensemble, HealthShare and TrakCare that affects all currently released version beginning with Caché 2007.1. This vulnerability is referred to as “July 2013 SV”.

InterSystems will not discuss the technical details of the security vulnerability, as we feel that such discussion may expose our customers to unnecessary risk.

Patch kits (including installation instructions) and full distributions containing the correction are available on the InterSystems WRC distribution area for the latest maintenance distribution of all supported versions.

Caché and Ensemble:

  • 2013.1.1    (2013.1.1.501.1)
  • 2012.2.4*
  • 2012.1.5    (2012.1.5.956.1)
  • 2011.1.6    (2011.1.6.1001.3) Caché only

* 2012.2.4 is available only as a patch kit.  Maintenance distribution 2012.2.5 is released and contains the correction.

(To help identify the particular full distributions that contain the correction see the numbers in parenthesis.  The last number in the string has been incremented with the new distribution version i.e. 2013.1.1.501.0 does not include the correction while 2013.1.1.501.1 does.)

Patch kits for older versions are also available on the InterSystems WRC distribution area.

Please note that all distributions that do not contain the correction for this vulnerability have been removed from the InterSystems WRC Distribution area.

The correction is exceptionally localized therefore InterSystems recommends application of the supplied patch kits.  The correction is also available via Ad Hoc distribution from InterSystems Worldwide Response Center (WRC). However, Ad Hoc distributions are individually prepared therefore the volume of requests will determine how quickly they can be satisfied.  Please reference “July 2013 SV” when discussing this vulnerability.

If you have any questions regarding this, please contact InterSystems WRC by phone (+1 617-621-0700), e-mail (Support@InterSystems.com) or web (WRC.InterSystems.com)


April 23, 2013 – InterSystems Security Notification

InterSystems has corrected a security vulnerability in Caché and therefore also in Ensemble, HealthShare and TrakCare. While this vulnerability was only recently discovered, it impacts versions of Caché beginning with 5.1 and all versions of Ensemble and HealthShare. All customers who are running these versions are potentially vulnerable.

Corrected software distributions are available from InterSystems. Remediation will require some downtime and possibly post-installation steps, depending on your current version and usage of InterSystems technology. A separate document that describes the remediation steps required is available from InterSystems Worldwide Response Center (WRC).

Any InterSystems product distribution that you receive after April 2, 2013 contains the corrections for this vulnerability.

For assistance with remediation contact your Application Provider or InterSystems WRC by phone (+1 617-621-0700), e-mail (Support@InterSystems.com) or web (WRC.InterSystems.com)


February 20, 2013 – Security Alert: User Credentials phishing attack using malicious URL

Who is affected?

  • All customers that authenticate with a CSP based application, including InterSystems Management Portal, are at risk.
  • This vulnerability was first introduced in Caché 5.1.  It is present in all versions of Caché and Ensemble.
  • The risk is present for Caché and Ensemble on all platforms.

What is the risk of exposure?

HIGH

What is the nature of the vulnerability?

A malicious user can obtain user credentials by altering the URL of a CSP application, and by tricking the normal user to use the altered URL. This form of attack is commonly referred to as a phishing attack.

It is InterSystems policy to not communicate details on security vulnerability to protect customer-deployed environments. If you are interested in more details related to this Security Alert, please contact InterSystems Worldwide Response Center (WRC).

Is a correction available?

A correction, identified as MAK3775, is available and will be included in all future releases and maintenance distributions.  The correction is also available via Ad Hoc distribution from the WRC.


February 13, 2013 – Security Alert: Two-Factor Authentication

Who is affected?

  • All customers that use two-factor authentication are at risk.
  • Two-factor authentication was first introduced in Caché and Ensemble 2010.1.
  • The risk is present for Caché, Ensemble and HealthShare on all platforms.

What is the risk of exposure?

LOW

What is the nature of the vulnerability?

Under rare and complex conditions a malicious user might gain access to the value of the security token used in Two Factor Authentication.

It is InterSystems policy to not communicate details on security vulnerability to protect customer-deployed environments. If you are interested in more details related to this Security Alert, please contact InterSystems Worldwide Response Center (WRC).

Is a correction available?

A correction, identified as STC2178, is available and will be included in all future releases and maintenance releases.   The correction is also available via Ad Hoc distribution from the WRC.

If you have any questions regarding this advisory, please contact InterSystems Worldwide Response Center (WRC).