HeartBleed Vulnerability
It's been quite a while since a vulnerability like this has been uncovered. There is no doubt that this is a serious one and it affects many products. What makes this a problem is not only that it has serious consequences, but also that it isn't that hard to exploit. Affected versions of OpenSSL have also been around for a long time since around April 2012 meaning the impact up to now is unknown.
Recommendations are to patch the affected products, renew certificates and ensure users change their passwords.
OpenSSL versions 1.0.1 - 1.0.2. OpenSSL advise Affected users should upgrade to
OpenSSL 1.0.1g and users unable to immediately upgrade can opt to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
The list below are links to some of the affected products. There are many more.
VMWare
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
Fortinet
http://www.fortiguard.com/advisory/FG-IR-14-011
Juniper
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
Cisco
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
Watchguard
http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap
Aruba
http://www.arubanetworks.com/support/alerts/aid-040814.asc
CheckPoint
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173
RedHat
https://access.redhat.com/security/cve/CVE-2014-0160
F5
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
McAfee
https://kc.mcafee.com/corporate/index?page=content&id=SB10071
Symantec
http://www.symantec.com/business/support/index?page=content&id=TECH216558
Ubuntu
http://www.ubuntu.com/usn/usn-2165-1/
FreeBSD
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
RedHat
https://access.redhat.com/site/announcements/781953
Recommendations are to patch the affected products, renew certificates and ensure users change their passwords.
OpenSSL versions 1.0.1 - 1.0.2. OpenSSL advise Affected users should upgrade to
OpenSSL 1.0.1g and users unable to immediately upgrade can opt to recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2.
The list below are links to some of the affected products. There are many more.
VMWare
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
Fortinet
http://www.fortiguard.com/advisory/FG-IR-14-011
Juniper
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
Cisco
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
Watchguard
http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap
Aruba
http://www.arubanetworks.com/support/alerts/aid-040814.asc
CheckPoint
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173
RedHat
https://access.redhat.com/security/cve/CVE-2014-0160
F5
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
McAfee
https://kc.mcafee.com/corporate/index?page=content&id=SB10071
Symantec
http://www.symantec.com/business/support/index?page=content&id=TECH216558
Ubuntu
http://www.ubuntu.com/usn/usn-2165-1/
FreeBSD
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
RedHat
https://access.redhat.com/site/announcements/781953
Excellent information. At last, someone that makes sense of the "noise" generated around exploits such as this. Well done. Kawalski
ReplyDelete