Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Heartbleed vendor notifications - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Heartbleed vendor notifications
FileMaker Server 13 has a hot-fix available:
http://help.filemaker.com/app/answers/detail/a_id/13384

They are coming out with an update 'soon'.

"FileMaker Server 13 includes a version of OpenSSL which has been identified as being vulnerable to the Heartbleed bug. At this time we are not aware of any tools which could exploit this vulnerability in FileMaker Server 13.

FileMaker Server 12 and prior server versions are not vulnerable to the Heartbleed bug. FileMaker Pro clients (any version) and FileMaker Go clients (any version) are not vulnerable to the Heartbleed bug when used standalone or when networked-peer-to-peer."
DavidBroome

1 Posts
VMware:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
DavidBroome
1 Posts
Updated advisory for Sophos UTM: http://www.sophos.com/en-us/support/knowledgebase/120851.aspx
Josh

4 Posts
Rob VandenBrink

481 Posts
ISC Handler
Rob VandenBrink

481 Posts
ISC Handler
HP Networking (partial notification only)
h17007.www1.hp.com/docs/advisories/…
Rob VandenBrink

481 Posts
ISC Handler
Cisco updated their response today:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
B.Kaatz

1 Posts
Good example (not perfect): http://www.taxact.com/support/22490/heartbleed-security-concerns/?txtSearchValue=heartbleed
Not so good example: https://security.intuit.com/alert.php?a=105

hint: If you fixed your systems, you should recommend password changes (strongly recommend or require even).

I will be dropping somebody's services soon.
G.Scott H.

48 Posts
OpenBSD

http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch
G.Scott H.
8 Posts
Not entirely true. You have to log on to their support system to read their statements. The firewall models appear to be unaffected, but some of the remote access software and appliances are.
v-ger

4 Posts
I'm finding in my organization lexmark and hp printers vulnerable but never get any data when I run ssltest. Memory management performed by these devices are different and therefore not interest information is obtained?

Thanks!
fjavier2ja

2 Posts
HP finally acknowledged on Sunday, and issued some advisories. No timeline on fixes yet.

SMH - https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04239372-1%257CdocLocale%253Den_US%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

SUM - https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04239375-1%257CdocLocale%253Den_US%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

Bunch of other products - https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04236102-2%257CdocLocale%253Den_US%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken

BladeSystem C-Class OA - https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04236062-1%257CdocLocale%253Den_US%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
Jaybone

27 Posts
Products mentioned in this post:
--------------------------------
APACHE TOMCAT NATIVE
ATLASSIAN JIRA 6.0 FOR WINDOWS
FILEZILA SERVER
WINSCP

APACHE TOMCAT NATIVE version 1.1.30 is now officially available at http://tomcat.apache.org/download-native.cgi

Their changelog indicates this new version now uses OpenSSL 1.0.1g. See http://tomcat.apache.org/native-doc/miscellaneous/changelog.html

There older versions (e.g. 1.1.29 used vulnerable versions of OpenSSL, though the Tomcat Native web pages neglect to say so, as of April 15, 2014.

ATLASSIAN JIRA 6.0 FOR WINDOWS installer includes the 1.1.29 version of tcnative-1.dll. I am not sure about other versions of JIRA. This DLL can be replaced with the 1.1.30 version of tcnative-1.dll. JIRA defaults to a Java implementation of SSL rather than using Tomcat Native, but it is possible to alter the JIRA / Apache configuration so Tomcat Native is loaded. In JIRA 6.0 for Windows, when Tcnative-1.dll is loaded, it is indicated in the stderr log, and the version of OpenSSL it is statically linked to also appears in this log file.

FILEZILA SERVER has a new version with an updated OpenSSL: https://forum.filezilla-project.org/viewtopic.php?f=6&t=32694
(fixed in FileZilla Server version 0.9.44)

As does WINSCP: http://winscp.net/tracker/show_bug.cgi?id=1151
(fixed in version 5.5.3)
MikeOnline

2 Posts
Huawei has published an advisory today: http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-332187.htm
Anonymous
Adobe http://blogs.adobe.com/psirt/?p=1085
Anonymous
Oracle's list of vulnerable devices/services: http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
Anonymous

Sign Up for Free or Log In to start participating in the conversation!