OpenSSL TLS heartbeat extension read overflow discloses sensitive information

Overview

OpenSSL 1.0.1 and 1.0.2 beta contain a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as “heartbleed.”

Description

OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2 beta through 1.0.2-beta1 contain a flaw in its implementation of the TLS/DTLS heartbeat functionality (RFC6520). This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL libssl library in chunks of up to 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to increase the chances that a leaked chunk contains the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

* Primary key material (secret keys)
* Secondary key material (user names and passwords used by vulnerable services)
* Protected content (sensitive data used by vulnerable services)
* Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Please see the Heartbleed website for more details. Exploit code for this vulnerability is publicly available. Any service that supports STARTTLS (imap,smtp,http,pop) may also be affected.

Impact

By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

---

Solution

Apply an update

This issue is addressed in OpenSSL 1.0.1g. Please contact your software vendor to check for availability of updates. Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items. Old keys should be revoked.

Reports indicate that the use of mod_spdy can prevent the updated OpenSSL library from being utilized, as mod_spdy uses its own copy of OpenSSL. Please see <https://code.google.com/p/mod-spdy/issues/detail?id=85&gt; for more details.

---

Disable OpenSSL heartbeat support

This issue can be addressed by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect.

Use Perfect Forward Secrecy (PFS)

PFS can help minimize the damage in the case of a secret key leak by making it more difficult to decrypt already-captured network traffic. However, if a ticket key is leaked, then any sessions that use that ticket could be compromised. Ticket keys may only be regenerated when a web server is restarted.

---

Vendor Information

720951

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Amazon Affected

Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/&gt;

Arch Linux Affected

Updated: April 15, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://bugs.archlinux.org/task/39775&gt;

Aruba Networks, Inc. Affected

Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.arubanetworks.com/support/alerts/aid-040814.asc&gt;

Attachmate __ Affected

Updated: April 29, 2014

Status

Affected

Vendor Statement

`Some Attachmate products with specific versions are affected by the
CVE-2014-0160 OpenSSL ‘Heartbleed’ vulnerability when TLS protocol
connections are used. All affected products now have either new versions
or hot fixes available.

Attachmate maintains the following technical note about affected and
non-vulnerable versions:
<http://support.attachmate.com/techdocs/2724.html&gt;

In addition, Security Updates technical notes are also available for
specific
products:
Security Updates and Reflection for the Web or Reflection Security Gateway
<http://support.attachmate.com/techdocs/1704.html&gt;
Security Updates and Reflection
<http://support.attachmate.com/techdocs/1708.html&gt;
Security Updates and Reflection for Secure IT
<http://support.attachmate.com/techdocs/2288.html&gt;
Security Updates and EXTRA!
<http://support.attachmate.com/techdocs/2501.html&gt;
Security Updates and Reflection 2014 or Reflection 2011
<http://support.attachmate.com/techdocs/2502.html&gt;
Security Updates and INFOConnect
<http://support.attachmate.com/techdocs/2546.html&gt;
Security Updates and Verastream
<http://support.attachmate.com/techdocs/2700.html&gt;`

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://support.attachmate.com/techdocs/2724.html&gt;
• <http://support.attachmate.com/techdocs/1704.html&gt;
• <http://support.attachmate.com/techdocs/1708.html&gt;
• <http://support.attachmate.com/techdocs/2288.html&gt;
• <http://support.attachmate.com/techdocs/2501.html&gt;
• <http://support.attachmate.com/techdocs/2502.html&gt;
• <http://support.attachmate.com/techdocs/2546.html&gt;
• <http://support.attachmate.com/techdocs/2700.html&gt;

Bee Ware __ Affected

Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

i-Suite versions 5.4.0 and above, up to version 5.5.4, are vulnerable. Versions 5.2.8 and 5.3.x are not vulnerable.

Vendor References

• <http://documentation.bee-ware.net/display/SECU/CVE-2014-0160+-+OpenSSL+Heartblee
  d+Bug>

Blue Coat Systems Affected

Notified: April 08, 2014 Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://kb.bluecoat.com/index?page=content&id=SA79

CA Technologies Affected

Notified: April 08, 2014 Updated: April 25, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={967F13F1-5720-4592-9BEB-42AD69EA14DC}&gt;
• <https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={7EBD736F-0227-4AEB-A7A9-9C5A4EA449C3}&gt;

Cisco Systems, Inc. Affected

Notified: April 08, 2014 Updated: April 10, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed&gt;

Debian GNU/Linux Affected

Notified: April 08, 2014 Updated: April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.debian.org/security/2014/dsa-2896&gt;

Extreme Networks __ Affected

Notified: April 08, 2014 Updated: April 16, 2014

Status

Affected

Vendor Statement

The following products and versions are affected by the VU#720951 OpenSSL vulnerability.

ExtremeXOS version 15.4.1.x - A patch update for ExtremeXOS 15.4.1.3-patch1-10 or higher is available for download

64 bit (Ubuntu) NetSight Appliance version 4.4, 5.0, 5.1 and 6.0 - A patch update is currently available for 4.4, 5.0, 5.1 and 6.0

64 bit (Ubuntu) NAC Appliance version 5.0, 5.1 and 6.0 - A patch update is currently available for 5.0, 5.1 and 6.0.

64 bit (Ubuntu) Purview Appliance version 6.0 - A patch update is currently available.

Note: Please contact the Extreme Networks Global Technical Assistance Center (GTAC) for access to the patch in the event not found on the Extreme Networks support site.

Extreme Networks has also published the below advisory on its website. Please refer the same for additional information.
<http://learn.extremenetworks.com/rs/extreme/images/CERT_VU%23720951_Vulnerability_Advisory_04_11_2014v2.pdf&gt;

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://learn.extremenetworks.com/rs/extreme/images/CERT_VU%23720951_Vulnerability_Advisory_04_11_2014v2.pdf&gt;

F5 Networks, Inc. Affected

Notified: April 08, 2014 Updated: April 09, 2014

Statement Date: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217&gt;

Fedora Project Affected

Notified: April 08, 2014 Updated: April 08, 2014

Statement Date: April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://rhn.redhat.com/errata/RHSA-2014-0376.html&gt;

Fortinet, Inc. __ Affected

Notified: April 08, 2014 Updated: April 09, 2014

Statement Date: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We have determined that the following products are vulnerable:

FortiGate (FortiOS) 5.0 and higher
FortiAuthenticator 3.0 and higher
FortiMail 5.0 and higher
FortiVoice (all versions)
FortiRecorder (all versions)

Vendor References

• <http://www.fortiguard.com/advisory/FG-IR-14-011/&gt;

FreeBSD Project __ Affected

Notified: April 08, 2014 Updated: April 09, 2014

Statement Date: April 08, 2014

Status

Affected

Vendor Statement

FreeBSD 10.0-RELEASE, 10.0-STABLE and 11.0-CURRENT have been patched

for this issue (CVE-2014-0160/VU #720951), both in source and binary
(via freebsd-update) forms. Earlier FreeBSD releases are not affected
by this issue.

Vendor References

• <http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc&gt;

Gentoo Linux Affected

Notified: April 08, 2014 Updated: April 08, 2014

Statement Date: April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml&gt;

Global Technology Associates, Inc. __ Affected

Notified: April 08, 2014 Updated: April 23, 2014

Statement Date: April 23, 2014

Status

Affected

Vendor Statement

We have determined that GTA firewalls running the following versions of GB-OS are vulnerable and should be upgraded to the indicated version.

GB-OS version 6.1.0 to 6.1.5 are vulnerable and should upgrade to GB-OS 6.1.6
GB-OS version 6.0.0 to 6.0.7 are vulnerable and should upgrade to GB-OS 6.0.8

Customers using GTA firewalls with an unsupported version of GB-OS should upgrade to a currently supported version.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google __ Affected

Notified: April 08, 2014 Updated: April 23, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html&gt;
• <https://groups.google.com/forum/?_escaped_fragment_=topic/mod-spdy-discuss/EwCowyS1KTU#!topic/mod-spdy-discuss/EwCowyS1KTU&gt;

Addendum

mod_spdy is affected, as are some versions of the Google Search Appliance GSA 7.0.14.G.212 addresses this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23720951 Feedback>).

Hewlett-Packard Company Affected

Notified: April 08, 2014 Updated: May 02, 2014

Statement Date: April 14, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://h17007.www1.hp.com/docs/advisories/HPNetworkingSecurityAdvisory-OpenSSL-HeartbleedVulnerability.pdf&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04236102&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04236062&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04239375&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04239372&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04240206&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04242672&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04239374&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04250814&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04248997&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04255796&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04260353&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04260456&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04260505&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04262472&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04262670&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04261644&gt;
• <https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04239375&gt;

Hitachi __ Affected

Notified: April 08, 2014 Updated: May 27, 2014

Statement Date: April 16, 2014

Status

Affected

Vendor Statement

`Hitachi has published the below advisory on its website. Please refer
the advisory for additional information. This advisory includes
Hitachi products for Industrial Control Platform.

HIRT-PUB14005: OpenSSL TLS heartbeat extension read overrun issue in
Hitachi products (VU#720951, CVE-2014-0160)
<http://www.hitachi.com/hirt/publications/hirt-pub14005/index.html&gt;`

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.hitachi.com/hirt/publications/hirt-pub14005/index.html&gt;

IBM Corporation Affected

Notified: April 08, 2014 Updated: April 15, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc&gt;
• http://www-01.ibm.com/support/docview.wss?&uid=swg21669774

Intel Corporation Affected

Notified: April 08, 2014 Updated: April 15, 2014

Statement Date: April 15, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00037&languageid=en-fr

Juniper Networks, Inc. Affected

Notified: April 08, 2014 Updated: April 09, 2014

Statement Date: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://kb.juniper.net/JSA10623&gt;

Mandriva S. A. Affected

Notified: April 08, 2014 Updated: April 07, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

MarkLogic Corporation __ Affected

Updated: April 15, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

`Recently a serious security vulnerability was discovered in the OpenSSL
cryptographic software
library. MarkLogic application servers can be configured to use SSL, and
MarkLogic uses OpenSSL to
provide this capability. A patch to OpenSSL has been released to address
this vulnerability, and
MarkLogic has built patches for all impacted MarkLogic versions with
OpenSSL 1.0.1g to incorporate
this new fix.

Impacted Versions

The following versions of MarkLogic are impacted by this vulnerability:

· MarkLogic 5.0-5 through 5.0-6

· All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)

· All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2),
including the MarkLogic AMIs

MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that
does not have this
vulnerability.

How to Patch

We recommend that customers who are using SSL patch their systems
immediately. To do this:

1. Upgrade your cluster to the patch release, available at
   <http://developer.marklogic.com/products&gt;.

Patch release versions are as follows:

o MarkLogic 5.0-6.1

o MarkLogic 6.0-5.1

o MarkLogic 7.0-2.3

2. Regenerate all SSL certificates for your cluster. This is
   necessary because the
   vulnerability is such that private keys for your certificates are
   potentially compromised. See
   𠇌onfiguring SSL on App Servers” in the documentation:

o MarkLogic 5 documentation:
<http://docs.marklogic.com/5.0/guide/admin/SSL#chapter&gt;

o MarkLogic 6 documentation:
<http://docs.marklogic.com/6.0/guide/admin/SSL#chapter&gt;

o MarkLogic 7 documentation:
<http://docs.marklogic.com/guide/admin/SSL#chapter&gt;

3. If you are using BASIC or Application Level Authentication over
   SSL, have all your
   users change their passwords after you’ve patched and deployed new SSL
   certificates. This includes
   both internal users in our security database, and anyone using external
   authentication (which
   requires BASIC authentication over SSL). This is necessary because the
   vulnerability may have
   resulted in password leaks.

If you have any questions about how to patch, feel free to contact
[email protected].

More information about the heartbleed vulnerability can be found at
<http://heartbleed.com> or
<https://vulners.com/cve/CVE-2014-0160&gt;.`

McAfee Affected

Notified: April 08, 2014 Updated: April 11, 2014

Statement Date: April 11, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• https://kc.mcafee.com/corporate/index?page=content&id=SB10071

NVIDIA __ Affected

Updated: May 05, 2014

Statement Date: May 05, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

<http://nvidia.custhelp.com/app/answers/detail/a_id/3492&gt;

NetBSD __ Affected

Notified: April 08, 2014 Updated: April 08, 2014

Statement Date: April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

NetBSD is vulnerable (in the version 6 train, not in the version 5 train) pkgsrc is vulnerable (1.0.1 versions of OpenSSL packages below 1.0.1g, no surprises there)

Vendor References

• <http://mail-index.netbsd.org/security-announce/2014/04/08/msg000085.html&gt;

OpenBSD Affected

Notified: April 08, 2014 Updated: April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig&gt;
• <http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch&gt;
• <http://ftp.openbsd.org/pub/OpenBSD/patches/5.3/common/014_openssl.patch&gt;

OpenSSL Affected

Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://www.openssl.org/news/secadv_20140407.txt&gt;

OpenVPN Technologies Affected

Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://community.openvpn.net/openvpn/wiki/heartbleed&gt;

Oracle Corporation Affected

Notified: April 08, 2014 Updated: April 16, 2014

Statement Date: April 16, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html&gt;

Red Hat, Inc. Affected

Notified: April 08, 2014 Updated: April 08, 2014

Statement Date: April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://access.redhat.com/security/cve/CVE-2014-0160&gt;
• <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0160&gt;
• <https://rhn.redhat.com/errata/RHSA-2014-0376.html&gt;

Slackware Linux Inc. Affected

Notified: April 08, 2014 Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.533622

Sophos, Inc. Affected

Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://blogs.sophos.com/2014/04/09/sophos-utm-manager-and-openssl-vulnerability/&gt;

Symantec __ Affected

Notified: April 08, 2014 Updated: May 13, 2016

Statement Date: April 18, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.symantec.com/outbreak/?id=heartbleed&gt;
• <http://www.symantec.com/content/en/us/enterprise/other_resources/b-symantec-product-list-heartbleed.pdf&gt;
• https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00

Addendum

CERT/CC has confirmed with Symantec that Symantec Messaging Gateway version 10.6.1 is vulnerable. Please see the most recent Symantec advisory (SYM16-007) above.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23720951 Feedback>).

Ubuntu __ Affected

Notified: April 08, 2014 Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://www.ubuntu.com/usn/usn-2165-1/&gt;
• <https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1304042&gt;

Addendum

Note that the version number reported by openssl does not reflect the patch level. To verify that the usn-2165-1 fixed versions are installed, run the following command
dpkg -l openssl libssl* | cat
and compare the reported version numbers with those listed in the advisory.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23720951 Feedback>).

Unisys __ Affected

Notified: April 08, 2014 Updated: April 17, 2014

Statement Date: April 17, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Heartbleed bug – Public and Client Communication

Dear Unisys client,

Unisys prides itself on ensuring the mission-critical operations of our clients – and the security of your systems is a priority for us. I am writing to let you know how we are addressing any risks related to the Heartbleed bug that has been reported in the news and to provide you with information that may help you address your own risks.

Heartbleed is a software bug in the OpenSSL technology used to create a secure link over the Internet between a server and a computer asset such as a laptop or PC. The bug, which has existed for about two years but was only publicly disclosed last week, is believed to have affected a significant number of websites globally.

Unisys has undertaken a comprehensive review of our servers, products, and client-owned servers under our management for risks associated with the Heartbleed bug. Here’s what you need to know:

-We have not found any vulnerability in our public-facing Web servers. We continue to monitor the product advisories of our major vendors for any potential issues.

-The vast majority of our released products, including MCP, OS 2200, Forward!, Stealth, and Choreographer, are not vulnerable to the Heartbleed bug. Two instances of potential vulnerabilities were found in add-on products; in those cases, we have done remediation efforts and notified clients.

-The vast majority of client-owned servers under our management are not affected by the Heartbleed bug. For servers that may have been affected, we have notified the client and after consulting with the client, we are in the process of patching those servers, changing the server side certificates and instructing users to change their passwords.

-Currently, only version 1.0.1 - 1.0.1f of the open-source SSL is affected. We have upgraded any client-owned servers under our management to version 1.0.1g. We recommend that you check the other servers that you manage.

-Our Security Services team can help you in this process and can also perform a penetration test to determine if you are vulnerable and help you contain any resulting damage.

We stand ready to assist you. Please contact your Unisys representative or service delivery manager to discuss your requirements or to order a penetration test.

We appreciate your business.

Unisys

VMware __ Affected

Notified: April 08, 2014 Updated: April 22, 2014

Statement Date: April 09, 2014

Status

Affected

Vendor Statement

VMware has released product updates and patches for all affected products

listed in VMware Knowledge Base article 2076225.

Vendor Information

VMware Security Advisory VMSA-2014-0004 lists the updated products and
patch releases that address CVE-2014-0160 in VMware products and provides
references to specific product documentation.

Vendor References

• <http://www.vmware.com/security/advisories/VMSA-2014-0004.html&gt;
• <http://kb.vmware.com/kb/2076225&gt;

Watchguard Technologies, Inc. Affected

Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap/&gt;

Wind River Systems, Inc. __ Affected

Notified: April 08, 2014 Updated: April 11, 2014

Statement Date: April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Wind River has investigated its products regarding the heart blead vulnerability. The conclusion is:

VxWorks is not vulnerable.
WR Linux 3.x and 4.x are not vulnerable.
WR Linux 5.0.1.x is vulnerable if the optional openssl-1.0.1 package is installed.
WR Linux 6.0.0.x is vulnerable.
INP 3.4 is vulnerable.

Wind River customers can find additional information, e.g. fixes, at the online support web site <https://support.windriver.com/&gt;

Vendor References

• <https://support.windriver.com/&gt;

nginx __ Affected

Updated: April 11, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/&gt;

Addendum

nginx for Windows is statically linked with the OpenSSL library. We have confirmed that nginx versions 1.2.9 through 1.4.7 on Windows provide a vulnerable OpenSSL version.

nginx 1.4.7, which was originally released on March 18, 2014, was silently repackaged with OpenSSL 1.0.1g on April 8, 2014.
nginx 1.5.13 was officially released on April 8, 2014, and it also includes OpenSSL 1.0.1g, despite not specifically mentioning this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23720951 Feedback>).

openSUSE project Affected

Updated: April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html&gt;

pfSENSE Affected

Updated: April 17, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://blog.pfsense.org/?p=1253&gt;

Brocade __ Not Affected

Updated: April 11, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

`TECHNICAL SUPPORT BULLETIN
April 10, 2014

---

TSB 2014-185-ASEVERITY: Low - Information

---

PRODUCTS AFFECTED:
All Brocade products, including Vyatta

CORRECTED IN RELEASE:
All current releases of Brocade products, including Vyatta

BULLETIN OVERVIEW

The purpose of this bulletin is to provide information regarding the recently
disclosed vulnerability in the OpenSSL protocol documented by CVE-2014-0160 and
also known as “The Heartbleed bug.” This vulnerability takes advantage of the
heartbeat extensions to the OpenSSL protocol (RFC6520).

Brocade’s family of IP products ADX, FCX, ICX, MLX, MLX-E, XMR CES, CER, RX,
SX, VDX offering ServerIron, FastIron, NetIron, RX, Network OS, Brocade Network
Advisor, Vyatta and vADX software and SAN products offering FOS software do not
make use of the heartbeat extensions and hence are not vulnerable to the
exploit documented in CVE-2014-0160.
In addition, the MyBrocade.com web site does not use OpenSSL and is not
vulnerable to this issue.

PROBLEM STATEMENT
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not
properly handle Heartbeat Extension packets, which allows remote attackers to
obtain sensitive information from process memory via crafted packets that
trigger a buffer over-read, as demonstrated by reading private keys, related to
d1_both.c and t1_lib.c, aka the Heartbleed bug.
<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160&gt;

RISK ASSESSMENT
There is no risk using Brocade products
SYMPTOMS
Not applicable.
WORKAROUND
No workaround is necessary.
CORRECTIVE ACTION
Not applicable.`

EfficientIP __ Not Affected

Updated: April 09, 2014

Statement Date: April 09, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Our system uses FreeBSD 9.2 as basis, and the OpenSSL version shipped with this version (0.9.8y) are stated not be affected.

Foundry Networks, Inc. __ Not Affected

Notified: April 08, 2014 Updated: April 11, 2014

Statement Date: April 09, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

No Brocade (Foundry) products are affected by this vulnerability,

Addendum

Foundry was purchased by Brocade.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23720951 Feedback>).

Infoblox __ Not Affected

Notified: April 08, 2014 Updated: April 08, 2014

Statement Date: April 08, 2014

Status

Not Affected

Vendor Statement

Infoblox is not affected by this issue (in any released version).

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation __ Not Affected

Notified: April 08, 2014 Updated: April 21, 2014

Statement Date: April 21, 2014

Status

Not Affected

Vendor Statement

Microsoft Services unaffected by OpenSSL “Heartbleed” vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx&gt;

Opengear Not Affected

Updated: April 15, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://opengear.zendesk.com/entries/51667116-CVE-2014-0160-aka-Heartbleed-Opengear-products-are-not-affected&gt;

Openwall GNU/*/Linux __ Not Affected

Notified: April 08, 2014 Updated: April 09, 2014

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux is not affected. The versions of OpenSSL that we redistribute do not contain the vulnerable code.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Peplink __ Not Affected

Notified: April 08, 2014 Updated: April 18, 2014

Statement Date: April 08, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Peplink products are NOT affected by this vulnerability.

Vendor References

• <https://forum.peplink.com/threads/3062-Special-Notice-On-OpenSSL-Heartbleed-Vulnerability&gt;

Quagga __ Not Affected

Notified: April 08, 2014 Updated: April 07, 2014

Statement Date: April 08, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Quagga is not affected by this vulnerability.

SUSE Linux __ Not Affected

Notified: April 08, 2014 Updated: April 08, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html&gt;

Addendum

SUSE Enterprise Linux uses OpenSSL 0.9.x

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23720951 Feedback>).

Vyatta __ Not Affected

Notified: April 08, 2014 Updated: April 11, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

`TECHNICAL SUPPORT BULLETIN
April 10, 2014

---

TSB 2014-185-ASEVERITY: Low - Information

---

PRODUCTS AFFECTED:
All Brocade products, including Vyatta

CORRECTED IN RELEASE:
All current releases of Brocade products, including Vyatta

BULLETIN OVERVIEW

The purpose of this bulletin is to provide information regarding the recently
disclosed vulnerability in the OpenSSL protocol documented by CVE-2014-0160 and
also known as “The Heartbleed bug.” This vulnerability takes advantage of the
heartbeat extensions to the OpenSSL protocol (RFC6520).

Brocade’s family of IP products ADX, FCX, ICX, MLX, MLX-E, XMR CES, CER, RX,
SX, VDX offering ServerIron, FastIron, NetIron, RX, Network OS, Brocade Network
Advisor, Vyatta and vADX software and SAN products offering FOS software do not
make use of the heartbeat extensions and hence are not vulnerable to the
exploit documented in CVE-2014-0160.
In addition, the MyBrocade.com web site does not use OpenSSL and is not
vulnerable to this issue.

PROBLEM STATEMENT
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not
properly handle Heartbeat Extension packets, which allows remote attackers to
obtain sensitive information from process memory via crafted packets that
trigger a buffer over-read, as demonstrated by reading private keys, related to
d1_both.c and t1_lib.c, aka the Heartbleed bug.
<https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160>

RISK ASSESSMENT
There is no risk using Brocade products
SYMPTOMS
Not applicable.
WORKAROUND
No workaround is necessary.
CORRECTIVE ACTION
Not applicable.`

WSO2 __ Not Affected

Updated: April 15, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

On April 7th, a Security Advisory was issued by the OpenSSL project notifying the public of a serious vulnerability in the encryption software used by a majority of websites on the Internet.

http://connect.wso2.com/wso2/c/secadv_20140407.txt?_lid=62396&_cid=77097&_t=859269

We want you to know that our servers were not exposed and your WSO2 account is completely safe. Nevertheless, to ensure there is no additional risk, we strongly encourage you to request a new password.
http://connect.wso2.com/wso2/c/password?_lid=62397&_cid=77097&_t=859269

If you have any questions or concerns, please email [email protected].

For additional information regarding this vulnerability, please visit:
http://connect.wso2.com/wso2/c/heartbleed.com?_lid=62398&_cid=77097&_t=859269

m0n0wall __ Not Affected

Notified: April 08, 2014 Updated: April 08, 2014

Statement Date: April 08, 2014

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

m0n0wall is not affected (as it uses OpenSSL 0.9.8).

ACCESS Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apple Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Barracuda Networks Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Belkin, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Charlotte’s Web Networks Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: April 08, 2014 Updated: April 09, 2014

Statement Date: April 08, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173

Cray Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Engarde Secure Linux Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fujitsu Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation (zseries) Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Security Systems, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intoto Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

MontaVista Software, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation __ Unknown

Notified: April 08, 2014 Updated: April 30, 2014

Statement Date: April 30, 2014

Status

Unknown

Vendor Statement

We provide information on this issue at the following URL

<http://jpn.nec.com/security-info/av14-001.html&gt; (only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <http://jpn.nec.com/security-info/av14-001.html&gt;

Nokia Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Novell, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Palo Alto Networks Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Process Software Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Stonesoft Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

The SCO Group Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Watchguard Technologies, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

eSoft, Inc. Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

netfilter Unknown

Notified: April 08, 2014 Updated: April 07, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 99 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	5	AV:N/AC:L/Au:N/C:P/I:N/A:N
Temporal	4.1	E:F/RL:OF/RC:C
Environmental	6.5	CDP:LM/TD:H/CR:H/IR:H/AR:ND

References

• <http://heartbleed.com/&gt;
• <http://seclists.org/oss-sec/2014/q2/22&gt;
• <http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902&gt;
• <https://tools.ietf.org/html/rfc6520&gt;
• <http://www.openssl.org/news/openssl-1.0.1-notes.html&gt;
• <http://www.hut3.net/blog/cns---networks-security/2014/04/14/bugs-in-heartbleed-detection-scripts-&gt;
• <http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html&gt;
• <http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/&gt;
• <https://www.cert.fi/en/reports/2014/vulnerability788210.html&gt;
• <http://xkcd.com/1354/&gt;
• <https://code.google.com/p/mod-spdy/issues/detail?id=85&gt;
• <http://www.exploit-db.com/exploits/32745/&gt;
• <https://access.redhat.com/security/cve/CVE-2014-0160&gt;
• <http://www.ubuntu.com/usn/usn-2165-1/&gt;
• <http://www.freshports.org/security/openssl/&gt;
• <https://blog.torproject.org/blog/openssl-bug-cve-2014-0160&gt;

Acknowledgements

This vulnerability was reported by OpenSSL, who in turn credits Riku, Antti and Matti at Codenomicon and Neel Mehta of Google Security.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2014-0160
Date Public:	2014-04-07 Date First Published: