COMPUTING AND TECHNOLOGY SERVICES

ALERTS AND ANNOUNCEMENTS

Computing Alerts and Announcements

SPSS Contract Renewal Update & Downtime (posted 06/30/2014 2:30 PM)

Negotiations between IBM and SUNY for the renewal of the SPSS contract were just finalized this morning (6/30/14). The previous license server (spss.itec.suny.edu) will be unavailable starting tomorrow, July 1, 2014. As a result of the terms of the new contract, SUNY is required to change its license server model. Academic and administrative users can no longer point to a single license manager server. ITEC is awaiting license keys from IBM and is working diligently to enable the license servers to provide continuity of the service. As soon as ITEC has the new license servers in place, Computing & Technology Services will work to point campus workstations to the appropriate server. Until both of these steps are completed, SPSS users may experience downtime. We apologize, understanding that this is short notice and disruptive to our end users. Please understand the contracts team has negotiated the new agreement to best meet the needs of SUNY and resulted in a last-minute procurement.

Network File Server Issues Resolved (posted 06/18/2014 2:15 PM)

The issues experienced earlier with one of our network file servers - bscappm1 - has been resolved soon.

We apologize for the inconvenience. Thank you for your patience.

Faculty/Staff E-mail Issues Resolved (posted 05/22/2014 9:54 AM)

The issues that we experienced earlier this morning with faculty/staff e-mail have been resolved.

We apologize for the inconvenience. Thank you for your patience.

Information related to the Internet Explorer security vulnerability (posted 04/29/14 1:15PM)

Please be aware of a new Internet Explorer vulnerability that effects ALL versions of IE. The Department of Homeland Security is currently advising people to steer clear of IE until the vulnerability has been patched and your computer is updated. Computing & Technology Services will push out this patch as soon as it is available. 

In the meantime, you should be cautious about using IE for anything except internal or our own web services such as Banner, Blackboard or other trusted sites.  Chrome is recommended for accessing other/outside websites.  Since your default browser opens when you click a link in a document or email, you may want to make Chrome your default until a fix is released.  To do this, start Chrome, click on the menu icon in the upper right corner, select “Settings” and click on the option to make Chrome your default browser.

For more information, see: http://www.cnet.com/news/stop-using-ie-until-bug-is-fixed-says-us/?ttag=fbwl

Update: Banner registration issue resolved (posted 04/15/14 8:53AM)

The Banner issue that prevented students from registering for classes early this morning has been resolved. If you experienced this problem, please log out of Banner, log back in and then try again. If you encounter any errors when attempting to register, please report them to the Help Desk at chd@buffalostate.edu.

Note regarding registration restrictions: If you're unable to get into a class due to a restriction of some sort (e.g. major, class, prerequisite), you'll receive an error message (and a copy of the error will be sent to your student email account). To address the restriction, you'll need to forward a copy of this email to your advisor for review, or contact the instructor directly. If the instructor decides to grant the override, you'll need to go back into Banner and add the course.

Information related to the Heartbleed Internet security vulnerability (posted 04/11/14 9:00PM)

ABOUT HEARTBLEED

Heartbleed (CVE-2014-0160) is an OpenSSL bug that has been in place since March of 2012, but was revealed publicly only this week.  The vulnerability exploits a weakness in OpenSSL and allows unauthorized users to read the memory of systems protected by vulnerable versions of the OpenSSL software.  This issue should be considered extremely critical due to its impact, long exposure, ease of exploitation, the absence of application logs indicating an exploit attempt and the widespread availability of exploit code.  This vulnerability reveals 64KB of memory per request to a connected client or server.  An attacker can potentially keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS (Transport Layer Security) connection until they have achieved their objectives.

What is affected that Buffalo State hosts or manages?

The servers below were running a vulnerable version of OpenSSL, and have been patched and tested.  Note also that all Linux systems managed by Computing and Technology Services are protected by daily patches from the Oracle Unbreakable Linux Network.  

 

Machine

OpenSSL ver.

Patched and restarted

tested @ http://filippo.io/Heartbleed

eprint01.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK

bsclib02.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK

libdev.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK

webcts01.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK

sareports.buffalostate.edu

1.0.1e-16

patched / restarted

tested OK


What is affected that SUNY ITEC hosts or manages?

All hosted systems at ITEC are protected by ITEC’s Dell SecureWorks iSensor IDS/IPS.  The IDS/IPS contains a signature for Heatbleed attacks called 50174 VID59478 OpenSSL TLS/DTLS Large Heartbeat Response.

RECOMMENDED ACTIONS

 

For users:

It is good practice to change your Web account passwords frequently, and this vulnerability just serves to emphasize this.   Although some media outlets would suggest that you wait until Web companies are have patched/upgraded their servers before changing your password, the fix was made available on Monday (4/7), so it is likely that most of them will have done this by now.  Change your passwords now (including your Buffalo State network password) and make it a habit to change passwords often.

For server administrators (or anyone running a Linux Web server):

This vulnerability is resolved in OpenSSL version 1.0.1g.  According to the OpenSSL advisory, version 1.0.2 will be fixed via 1.0.2-beta2.  An immediate upgrade is recommended.

Products that use OpenSSL libraries, such as SSL termination devices, load balancers, secure web gateways , web application firewalls, and other embedded devices, may also be vulnerable.  Clients should coordinate vulnerability status and mitigation steps with appropriate vendors. 

After patching the vulnerability, revoke any primary key material (e.g., X.509 certificates and private keys) used by a vulnerable TLS service, and issue and distribute new keys.  In addition, consider potential compromise of secondary key material, such as usernames and passwords exchanged with a vulnerable TLS endpoint.  Reset secondary key material such as passwords and encryption keys, and invalidate and reset any exposed session keys and session cookies.

What versions of the OpenSSL are affected?

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

LINKS

http://heartbleed.com/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

http://sseguranca.blogspot.com/2014/04/heartbleed-ssl-bug.html

http://filippo.io/Heartbleed <-- Test to see if a Web server is vulnerable to Heartbleed

 

Click here to read previously posted Alerts and Announcements