Notified:  September 27, 2007 Updated: December 19, 2007

Status

Affected

Vendor Statement

Created: December 14, 2007 Applies to: Prolog Manager (All versions) This bulletin applies to any customer who currently uses any version of Meridian’s Prolog Manager product. Issue Details Meridian has become aware of a security vulnerability within Prolog Manager that could impact sections of the Prolog user community. This vulnerability concerns the method by which Prolog Manager handles password information. There is a risk that password data could be intercepted and under certain circumstances a malicious internal user with cryptographic knowledge could determine the content of a user’s password. It is important to note that this vulnerability would only allow password data to be intercepted by internal users with network access, and customers who have a correctly configured firewall in their environment remain protected from external threats. Meridian recognizes that this security vulnerability must be addressed as a matter of urgency, and as such we are working towards resolving the problem as quickly as possible. Who may be affected This issue could affect all users of Prolog Manager who access the application over a network. Immediate Recommendations Ensure that you are using Prolog’s ‘Enhanced Encryption’ option, which requires the greatest level of cryptography knowledge to circumvent. To use the ‘Enhanced Encryption’ option in Prolog Manager, please do the following: Under the Options tab of Security Manager, select the 'Use Enhanced Encryption' option, and then click the Save button to complete the operation. Please note that once this option is selected, you will be unable to switch back to using Standard Encryption. Ensure that your firewall is active and configured appropriately to protect your network infrastructure from attacks from external sources. Ensure that all Prolog users are using a ‘robust’ password of no less than 8 characters consisting of a combination of letters (upper and lower case), numbers and special characters. (This will make it much more difficult for malicious users to determine the value of any password they managed to intercept) Product Enhancements Meridian has identified the following product enhancements which it will implement as soon as possible in order to rectify the way in which password data is currently handled in Prolog Manager: All existing password encryption options will be replaced with the SHA-1 (Secure Hash Algorithm) encryption format. a) The upgrade process on a Prolog database will migrate existing password data to the new SHA-1encrypted format. b) SHA-1 is a one-way digest, which means that it cannot be reversed to get the original password under any circumstances. Prolog’s application logic will be amended to do the following: a) Only SHA-1 encrypted passwords will be passed when Prolog needs to transfer password data from the client to the database server. b)A revised method will be implemented for setting and changing passwords to ensure password information will never be read directly from the database. Once the above enhancements have been completed, Meridian will immediately make security patches available for Prolog 7.5 SP3, Prolog 2007, Prolog 2007 R1 and Prolog 2007 R2 for implementation by our customers. The enhancements will also be included as part of our next major release, Prolog 2008, scheduled to be available in the first half of 2008. Contacting Meridian Systems If you require any further information on this issue, please contact Meridian Systems Support Services by using any of the following methods: Email: support@meridiansystems.com Fax: 916 294-2001 Telephone: 916 294-2100 Internet: http://www.meridiansystems.com/services/support/index.asp The Meridian Systems SupportLink includes a technical knowledge base, answers to frequently asked questions, technical documentation and a form to submit specific support requests 24 hours a day, 365 days a year. Mail: Meridian Systems Attn: Support Services 1720 Prairie City Road, Suite 120 Folsom, CA 95630 THE INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MERIDIAN SYSTEMS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MERIDIAN SYSTEMS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MERIDIAN PROJECT SYSTEMS CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Did you find this document helpful? Send your comments to doc@meridiansystems.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.