InterSystems has corrected a security defect that an attacker could exploit to gain complete control of a system through the CSP Gateway.

This vulnerability

· exists only for the CSP Gateway components distributed with Caché and Ensemble versions 2009.1, 2009.1.1 and 2009.1.2, including Ad Hoc distributions based on these versions.

· is only present on Windows XP and Windows 2000, including all their service packs.

· is only present when using Apache Web Server versions 2 or 2.2. No other Web Servers are at risk.

Additionally, CSP Gateway components are backwards compatible and some sites have chosen to run an older version of Caché or Ensemble with a newer version of the Gateway component. Since the vulnerability exists in the CSP Gateway, this scenario effectively backports the vulnerability to an older version. If doubts exist about the version of CSP Gateway in use, you can check it in the System Management Portal under System Administration -> Configuration-> Connectivity -> CSP Gateway Management.

The vulnerable CSP Gateway versions are:

2009.1.0.*

2009.1.1.*

2009.1.2.*

A correction for this vulnerability for both Caché and Ensemble is available at:

ftp://ftp.intersystems.com/pub/cache/patches/CSP_Gateway_Security_Alert.zip

The .zip file contains four .dll files. There are two files applicable to each at-risk Apache version:

Apache 2.0:
CSPa2.dll
CSPa2Sys.dll

Apache 2.2:
CSPa22.dll
CSPa22Sys.dll

Select the appropriate two files based on the Apache version the system uses. Replace the existing files with the supplied files in the environment where the CSP Gateway is installed.

These files can normally be found:

· under the Caché or Ensemble directory in: <cachedir>\CSP\bin or <ensembledir>\CSP\bin

OR

· c:\Program Files\Apache Software Foundation\Apache<version>\CSPGateway

Once the new .dlls are in place the CSP Gateway version should display as:

2009.1.3.*

For reference: this correction is identified internally as CMT781. This correction will be included in the upcoming 2009.1.3 Maintenance Release and all subsequent releases. If you have further questions regarding this, please contact the InterSystems Worldwide Response Center (WRC) - support@intersystems.com. This is an announcement mailing list for Cache'.
Cache' news, release information, and support issues from



http://writeimagejournal.com - InterSystems Russia Technology Blog.

http://writeimagejournal.com/forum - InterSystems Russia Technology Community.