Security Notice CVE-2024-1403 (Resolved)

Some customers are still asking questions about a security risk identified as CVE-2024-1403. To address these queries effectively, we have detailed our approach to investigating and resolving this issue.

Issue Not Applicable

The CSIRT (CSIRT-DSP Ministry of Economic Affairs and Climate) alerted us to the use of Progress OpenEdge 11.7, which contains a potential security vulnerability. Following this notification, we conducted an investigation and were able to demonstrate that the vulnerable component in question is not in use by us. Therefore, our MKG environments are not susceptible to the CVE-2024-1403 issue.

Component Updated for Clarity

Nevertheless, we replaced the vulnerable component with the new version that addresses the issue. This update was implemented starting with version 005.077.008, ensuring that the component is up to date and secure, even though it is not in use. This change is also documented in the release notes for this version: Release Notes.

Full Upgrade to OpenEdge 12

Prior to receiving this notification, we had already been working on implementing Progress OpenEdge 12. The upgrade for all customers to this version is scheduled for after this summer. This will phase out version 11.7 completely, removing any references to it in our environments.

We hope this provides sufficient information for clarification. However, if there are still any questions, we are, of course, here to help.

Technical Details from Our Investigation

Progress Software described the following vulnerabilities in article CVE-2024-1403:

A: “Actions provided by OpenEdge OEE/OEM when utilized through an AdminService are subject to the vulnerability.”

• MKG: The OEE/OEM (OpenEdge Explorer nor OpenEdge Manager) is not included in the MKG 5 model and is not installed.

B: “OpenEdge Database access through OEAG (including access through SQL Server and DataServer schema holders), DB CLI utilities, OEAG utilities, OEE/OEM, and PASOE when using the OpenEdge Authentication Gateway (OEAG) for authentication with an OpenEdge domain configured for OS local logins.”

• MKG: The OEE/OEM (OpenEdge Explorer nor OpenEdge Manager) is not included in the MKG 5 model and is not installed.

After thorough investigation, we decided to apply the patch for CVE-2024-1403 for our customers.

• NOTE: The single library replacement of the “auth.dll” artifact will resolve the CVE-2024-1403 vulnerability for both the AdminServer and the OEAG simultaneously.