Services
& Support

Support Alerts 2014

2014 Support Alerts & Advisories


Advisory: TLS Exploit (a.k.a POODLE attack variant)

December 11, 2014

December 11, 2014 – Advisory: TLS Exploit (a.k.a POODLE attack variant)

The SSL 3.0 vulnerability documented recently in Reference: CVE-2014-3566 was expanded on December 8, 2014 to identify some implementations of TLS as being vulnerable too (CVE-2014-8730).

For more details, please see:
https://www.us-cert.gov/ncas/alerts/TA14-290A

InterSystems has verified that the implementation of TLS used in its products – Caché, Ensemble, HealthShare and TrakCare – is not vulnerable.

If you have any questions regarding this advisory, please contact InterSystems Worldwide Response Center.


HealthShare Alert: Potential Unauthorized Data Display

October 28, 2014

October 28, 2014 – HealthShare Alert: Potential Unauthorized Data Display

InterSystems has discovered and corrected a defect in our web application technology used by the HealthShare portal and the Clinical Viewer.  In rare circumstances, this defect can result in sharing of data by separate user sessions.  This could lead to (a) a user having a different set of privileges and being able to access patient records they are not permitted to view or (b) being presented with clinical data from a different patient in the Clinical Viewer.

The risk is low in typical configurations, but the defect impacts all currently released HealthShare versions.  It occurs only in environments using Microsoft Internet Information Server (IIS) version 7 and higher as its webserver.

This fault will only occur after IIS has recycled one of its worker processes, and the likelihood of encountering this problem increases with the recycling frequency of IIS worker processes.  As an example, frequent recycling of worker processes can occur in configurations where the ‘Idle Timeout’ defined for the Application Pool is set to a low value and, in particular, when the ‘Idle Timeout’ is set to a lower value than the HealthShare application timeout configured in HealthShare.  The settings controlling the recycling of worker processes can be found in the IIS control panel (Application Pool -> [Select Application Pool] -> Advanced Settings).  If the periodic recycling of worker processes is completely disabled in your IIS configuration then your installation will be unaffected by this issue, with the exception that IIS will always recycle a worker processes that either hangs or causes an unrecoverable error condition.

Please work with your system administrators to ensure IIS is configured to minimize any chance of this defect impacting your system and apply the patch available from InterSystems Worldwide Response Center (WRC).

InterSystems WRC can assist with reviewing the potential for this problem impacting your environment.

The correction for this defect is identified as CMT1273.  It will be included in upcoming HealthShare 2013.1 and 2014.1 maintenance releases, and is also available via Ad Hoc distribution from InterSystems WRC. If you have any questions regarding this advisory, please contact the Worldwide Response Center.


Alert: CSP Session ID Reuse with IIS 7+

October 28, 2014

October 28, 2014 – Alert: CSP Session ID Reuse with IIS 7+

InterSystems has discovered and corrected a defect that can result in CSP session IDs being shared by two users. More specifically, there are situations where a new user for an application will be allocated a CSP session ID that has already been allocated to, and in use by, another user. The impact of this defect is application-dependent, but one possible consequence is the incorrect display of application data belonging to the session of another user.

The defect is present in all currently released Caché, Ensemble, and HealthShare versions. It occurs only in environments with Microsoft Internet Information Server (IIS) version 7 and higher.

This fault will only occur after IIS has recycled one of its worker processes, and the likelihood of encountering this problem increases with the recycling frequency of IIS worker processes. As an example, frequent recycling of worker processes can occur in configurations where the ‘Idle Timeout’ defined for the Application Pool is set to a low value. The settings controlling the recycling of worker processes can be found in the IIS control panel (Application Pool -> [Select Application Pool] -> Advanced Settings). If the periodic recycling of worker processes is completely disabled in your IIS configuration then your installation will be unaffected by this issue, with the exception that IIS will always recycle a worker processes that either hangs or causes an unrecoverable error condition.

The correction for this defect is identified as CMT1273. It will be included in upcoming Caché, Ensemble, and HealthShare 2013.1 and 2014.1 maintenance releases, and is also available via Ad Hoc distribution from InterSystems Worldwide Response Center (WRC). If you have any questions regarding this advisory, please contact the Worldwide Response Center.


Advisory: SSL 3.0 Exploit (a.k.a POODLE attack)

October 17, 2014

October 17, 2014 – Advisory: SSL 3.0 Exploit (a.k.a POODLE attack)

In response to the recently documented SSL 3.0 vulnerability (Reference: CVE-2014-3566), InterSystems advises customers to switch from using or requiring SSL 2.0 or SSL 3.0 and instead use only TLSv1.

InterSystems products support TLSv1, SSL 3.0 and SSL 2.0 for SSL/TLS. The SSL/TLS configuration can be controlled through the Management Portal (System > Security Management > SSL/TLS Configuration)

Furthermore, beginning with version 2014.2, InterSystems products will default for newly defined SSL/TLS configurations to only include TLSv1; SSL 3.0 will still be available as an option.

If you have any questions regarding this advisory, please contact the Worldwide Response Center.


Alert: Dejournaling Problem May Result in Missing Updates

July 16, 2014

July 16, 2014 – Alert: Dejournaling Problem May Result in Missing Updates

InterSystems has corrected a defect that can impact data integrity. The defect is present in Caché, Ensemble, and HealthShare version 2013.1.0 and later.

This defect may cause some database modifications to be missed when journal files are applied to a database. The problem may occur on systems that are the target of data replication (via mirroring or shadowing), on systems recovering after an unplanned outage, or when databases are being restored from journal files.

The problem occurs rarely and exact circumstances are dependent on internal “race conditions” between several processes, so are not easily characterized externally. There is no way to tell if a system has been affected by this defect. However, on systems using mirroring or shadowing, the DATACHECK utility can be used to see if the destination system accurately reflects the source.

The correction for this defect is identified as HYY1943. It will be included in all future releases of Caché, Ensemble, and HealthShare. The first release to include the correction will be 2014.1.2 which will be available no later than July 31st. The correction is also available via Ad Hoc distribution from InterSystems Worldwide Response Center (WRC). If you have any questions regarding this advisory, please contact the Worldwide Response Center.


Advisory: OpenSSL Security Advisory

June 17, 2014

June 17, 2014 – Advisory: OpenSSL Security Advisory

The OpenSSL Project http://www.openssl.org recently released a security advisory on vulnerabilities in the OpenSSL product.

These vulnerable OpenSSL products are included in the distribution of and used by most InterSystems products from version 2007.1 through the present, 2014.1. OpenVMS and Mac OSX are the exceptions to this; InterSystems products on these platforms use the libraries installed with the operating system.

InterSystems strongly recommends that customers move to OpenSSL versions containing the corrections to the vulnerabilities as soon as possible. To ease this transition for our partners, InterSystems is taking the following steps:

  1.  We have posted updated distributions of the latest maintenance release of all versions since 2011.1. The updated distributions include the corrected version of OpenSSL.
  2. We have posted versions of the corrected OpenSSL libraries, again for all versions since 2011.1, along with instructions that will install them in existing deployments. The list below shows the compatibility between corrected OpenSSL version and InterSystems version.
    OpenSSL InterSystems
    1.0.0m 2011.1 through 2014.1
    0.9.8za  2007.1 through 2010.2

Installation of InterSystems products can result in OpenSSL libraries being placed in multiple locations. For example, the CSP Gateway uses SSL and the Gateway is often installed on a server separate from the primary InterSystems installation. The installation instructions detail the locations that need to be considered.

Distributions and instructions can be found at:
https://wrc.intersystems.com/wrc/Distribution.csp

Installation instructions are named: openssl_installation_instructionspatch-all.txt

Distributions of updated libraries are named according to the convention: openssl-version-platform.extension; for example, “openssl-2014.1.1.702.1-lnxsuse10x64.tar.gz”.

Note that distribution files are named for the most recent ISC maintenance release for a major version. These distributions are compatible with all releases for that major version. i.e. 2011.1.6.1001.4 is compatible with 2011.1.0 through 2011.1.6
If you have any questions regarding this advisory, please contact the Worldwide Response Center.


Alert: Incorrect $BIT Rollback over ECP

May 21, 2014

May 21, 2014 – Alert: Incorrect $BIT Rollback over ECP

InterSystems has corrected a defect that can lead to $BIT operations over ECP being rolled back incorrectly.

This defect is present on all releases of Caché, Ensemble, and HealthShare prior to 2013.1.6. This defect only affects deployments that use ECP; other deployments are not affected.

As a result of this defect, if a $BIT operation originates on an ECP application server and occurs in a transaction, it may, on rollback under rare conditions, be rolled back to the wrong value. This can impact bitmap indices as well as any application-specific use of $BIT.

The correction for this defect is identified as SJ2941 and is included in Caché, Ensemble, and HealthShare as of 2013.1.6 and 2014.1.0, and is also available via Ad Hoc distribution from InterSystems Worldwide Response Center (WRC). If you have any questions regarding this alert, please contact the Worldwide Response Center.


Advisory: Calculation Error in InterSystems Optimization (Itanium Platforms only)

May 21, 2014

May 21, 2014 – Advisory: Calculation Error in InterSystems Optimization (Itanium Platforms only)

InterSystems has corrected a defect that causes incorrect calculation on Itanium platforms. The defect is present in InterSystems assembly optimizations targeted to Itanium platforms.

This defect is present on all currently released versions of Caché, Ensemble, and HealthShare. It is limited to Itanium platforms.

Specifically, the problem can occur when adding to a local or global variable that has the value 2147483647 (that is, 2**31-1). The problem does not occur for every such operation but depends on preceding activity. See the following example:

>set test=2147483646
>write test set test=test+1
2147483646
>write test set test=test+1
2147483647
>write test
6917529029788565504

Furthermore, it is adding to the value that fails so even an operation such as

>if test+1>xyz …

may experience the failure.

The correction for this defect is identified as JLC1792 and will be included in upcoming release 2014.1.2 of Caché, Ensemble, and HealthShare. It is also available via Ad Hoc distribution from InterSystems Worldwide Response Center (WRC). If you have any questions regarding this advisory, please contact the Worldwide Response Center.


Alert: Data Integrity Problem in Dejournaling

May 20, 2014

May 20, 2014 – Alert: Data Integrity Problem in Dejournaling

InterSystems has corrected several defects that can only occur in rare circumstances but can impact data integrity.

The defects are present in Caché, Ensemble, and HealthShare from version 2012.2.0 through 2013.1.4, on all platforms and operating systems.

These defects can, in rare circumstances, lead to data inconsistency or database corruption when data from journal files is applied to a database. This impacts systems that are the destination of replication via shadowing or mirroring, or databases being restored from journals. The risk to journal recovery following a system crash is believed to be negligible, and transaction rollback is not affected.

InterSystems recommends upgrading systems to a product version that includes the corrections listed below.
The corrections for these defects are HYY1881, HYY1902, and HYY1904. They are included in Caché, Ensemble, and HealthShare as of 2013.1.5 and 2014.1.0, and are also available via Ad Hoc distribution from InterSystems Worldwide Response Center (WRC). If you have any questions regarding this advisory, please contact the Worldwide Response Center.


Alert: Locking and Shared Memory Corruption

May 20, 2014

May 20, 2014 – Alert: Locking and Shared Memory Corruption

InterSystems has corrected two defects with locking that, in rare circumstances, can cause shared memory corruption of lock structures. This condition can potentially lead to process failures and hung environments. These defects exist for Caché, Ensemble, and HealthShare.

All platforms and operating systems are at risk. These defects have existed in releases of Caché beginning with version 5.0.

The corrections, identified as SML1819 and SML1847, are both included in Caché, Ensemble and HealthShare as of 2013.1.6 and 2014.1.1 (to be released shortly). To address the risk of these defects, InterSystems recommends upgrading to these versions.

The corrections are also available via Ad Hoc distribution from InterSystems Worldwide Response Center (WRC). If you have any questions regarding this alert, please contact the Worldwide Response Center.