ISA500 is vulnerable to Heartbleed!

Similar Messages

• Is Actiontec modem-router vulnerable to Heartbleed?

  Does Heartbleed affect the Actiontec GT784WNV modem-router?
  We have one from Verizon for our Verizon DSL.
  If the Actiontec is affected, when will Verizon send a firmware update?

  When trying to access my Verizon ActionTec router from INSIDE my private LAN (https://192.169.1.1), why is my security software alert me of an potential SSL Certificate compromise? 
  My AntiVirus suite provides this alert: 
  "Cannot guarantee authenticity of the domain to which encrypted connection is established" 
  Application: Internet Explorer  (although the same occurs in Chrome),
  URL:  ORname_Jungo: OpenRG Products Group
  Reason:  (blank)"
  Who is that URL and why is it on the Verizon router?

• How do we proceed re: Heartbleed?

  I don't want to steal MadMacs0 thunder. So I'd like to open a new thread - albeit with all due respect to him.  His post , IMHO is just too important to slip through the cracks or to be potentially construed as being off-topic. Check it out > https://discussions.apple.com/message/25488206#25488206
  For the sake of everyone's convienience, I will post my reply to him.
  Kudos to you MadMacs0!
  Your hard work is very much appreciated. Which begs the question: How does one, using proper due diligence, arrive at intelligent and confident conclusions and by extension - viable solutions - amidst a plethora of hysteria and misinformation - albeit in juxtaposition with allegedly valid information?
  How do we go about separating the wheat from the chaff when discussing said extensive associations between Apple devices, Apple servers, Apple mission critical services, Akamai servers, Akamai's "key Web-based services", etc...?
  All things considered, I believe that Apple (today) released a new Apple Support Communities Use Agreement (revised 24 April 2014) in good faith, with the best of intentions and with the aim of keeping topics such as (some of) the aforementioned (e.g. Heartbleed) in context, however nebulous or convoluted they may seem.
  Best Regards and Thank You,
  mm~

  Yes, Heartbleed does have a nice logo, and it's a nasty bug. 
  This stuff dates back to the late 1980s with the WANK worm and the Morris worm, if not earlier.   There've been many other problems since then too.  There'll be more. 
  Since you mention Y2K, there'll be more — 2038 is probably the next "fun" date for most folks, and I've already seen a few 2038-related bugs.
  As to your question, OS X is not vulnerable to Heartbleed, it uses Secure Transport for most SSL/TLS traffic and includes an outdated version of OpenSSL (that's not vulnerable to Heartbleed) for use by legacy apps. 
  Client and server applications that include their own versions of OpenSSL within the vulnerable range will have to be updated.  Even on OS X.
  Secure Transport has been vulnerable to attacks — the recent "goto fail" being one such example — and the older version of OpenSSL has its own issues.   OS X and iOS are also vulnerable to the (newer than Heartbleed) 3Shake SSL attack; patches for that are now available. 
  Older SSL is vulnerable to attacks, and newer TLS can be vulnerable.  This means that higher-security sites can need to adjust the algorithms presented, or migrate to an environment that provides the required TLS.  (For most folks, simply avoiding the worst of the available algorithms is sufficient.)
  As for the realization of how many attackers and how many bugs and the rest exist, well, welcome to the Internet.   It's only going to get more nasty, too.
  If you self-maintain, keep your backups current, keep some of your backups entirely isolated from your server, get yourself onto security notification lists (and Twitter can be useful for following some of the security-focused folks), keep your patches current, use multiple layers (such as firewalls, network scanners and vulnerability scanners, intrusion detection, network partitioning and other such tools, investing commensurate with your value as a target), learn current password practices (given brute-forcing password tools are getting better) and all the usual advice.   Test your recovery, too.
  In short, pay (time, effort, mental focus, budget) to stay current, or pay folks to keep your servers current for you, or outsource the whole area to folks that specialize; to cloud or hosted services providers.  Expect to get pwned, too — this is part of why backups are important.   None of this is new or different or changed advice, of course.

• Cisco UCS components and Heartbleed bug

  I was reading about Cisco products affected by heartbleed vulnerability at following Cisco security advisory
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed#@ID
  I couldn't find whether below products/components are affected by this vulnerability.. can someone confirm if these products/components are vulnerable to heartbleed?
  Cisco UCS Manager
  Cisco Integrated Management Controller (CIMC)
  Cisco UCS Blade Chassis
  tia

  I agree that phrasing is a bit off, note that the notice is talking about _products_ affected (or not), not particular _components_ of a product. 
  UCS seems to be off the hook. Not affected are: 
  Cisco UCS B-Series (Blade) Servers
  Cisco UCS C-Series (Stand alone Rack) Servers
  Cisco UCS Central
  Cisco UCS Fabric Interconnects
  Cisco UCS Invicta Series Solid State Systems
  CIMC and UCSM would be part of FI or B-or-C-series, etc.

• Android 4.1.1 and New Bug (OpenSSL Vulnerability)

  I have updated my device to 4.1.1 recently which seems is the only version of android that would be affected by this bug.
  http://www.bloomberg.com/news/2014-04-11/millions-of-android-devices-vulnerable-to-heartbleed-bug.ht...
  Is there another update for my device to fix it?

  Hi SonyTab,
  Please provide us the exact model name of your unit so we can check the specifications and provide accurate solutions. You can use this guide to determine the exact model name. Thanks!

• The SSL-Libraries are old resp. vulnerable

  Hello
  The SSL-Libraries, included with actual and up-to-date Lightroom and particularly in Adobe Bridge, are old versions and (maybe) vulnerable.
  In the (default) path:
  "c:\Program Files\Adobe\Adobe Photoshop Lightroom 5.7.1\"
  is the v1.0.1.7, wich means v1.0.1g.
  The actual version of the 1.0.1.13 branch is 1.0.1m.
  In the (default) path:
  "c:\Program Files\Adobe\Adobe Bridge CC (64 Bit)\"
  is the v1.0.1.5, wich means v1.0.1e.
  THIS IS EVEN VULNERABLE WITH HEARTBLEED/BEAT!
  The actual version of the 1.0.1.13 branch is 1.0.1m.
  This should be fixed fast!
  For more information see URL: https://www.openssl.org/
  Greetings,
  Alpengreis

  This is an open forum with "some" Adobe staff participation
  https://www.adobe.com/cfusion/mmform/index.cfm?name=wishform for feature requests or bugs

• "Heartbleed" bug in OpenSSL

  I've just been reading about "heartbleed", which is a bug that has existed in OpenSSL for two years.  This makes our passwords and other information, including content, susceptible to being uncovered.  Is the icloud.com site secure at risk?  I tested the site with a tool provided by lifehacker.com and it showed there was a problem.  I have tested other sites and they came back with secure result.
  Anyone know anything about this?  I'm concerned that all my email etc can possibly be vulnerable.
  Thanks
  Melissa

  In addition to what we all think of as servers, a variety of other Mac and iOS apps are potentially vulnerable. Why? Because many apps user "server-like" features. For example: using POP3, IMAP or SMTP protocols.
  A good example of an iTunes App Store app that has been vulnerable is FileMaker Go 13, along with other FileMaker versions for OSx.
  Any user of the following FileMaker application versions needs to be aware that their secure data may have been compromised. They need to read the notice I've linked below, consider whether they have made use of the noted features, and determine if their use may have compromised sensitive information. If so, they need to not only update their copy of FileMaker, but also regenerate sensitive information as recommended by CERT (in the bottom link below.)
  http://help.filemaker.com/app/answers/detail/a_id/13384/~/filemaker-products-and -the-heartbleed-bug
  FileMaker Go 13 https://itunes.apple.com/us/app/filemaker-go-13/id675292600
  FileMaker Server 13 (Sold by Apple but not in App Store)
  FileMaker Pro 13, FileMaker Pro 13 Advanced (Sold by Apple but never officially in the App store)
  The very nature of the HeartBleed bug is such that any app that was ever vulnerable to HeartBleed must be properly addressed. See the official CERT HeartBleed Bug announcement (http://www.kb.cert.org/vuls/id/720951): "Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items. Old keys should be revoked."
  Blessings,
  Pete
  (PS, I am setting up a test environment to discover which of the Apps I own are vulnerable. I hope to report back before too long.)

• SAP BCM 6 +7 // OpenSSL vulnerability "Heartbleed"

  Hi All,
  Information on SAP BCM and Heartbleed:
  The Heartbleed vulnerability in OpenSSL (CVE-2014-0160) has received a significant amount of attention recently. While the discovered issue is specific to OpenSSL, customers might be wondering whether this affects SAP BCM product.
  SAP BCM is not using OpenSSL and thus is not affected by the OpenSSL vulnerability. All versions of SAP BCM are using Windows’ implementation of SSL/TLS (called Secure Channel, a.k.a. SChannel) which is not impacted.
  Regards,
  Jukka
  SAP BCM Team

  Hi Harish,
  First of all - a disclaimer... I am a BCM consultant, and my company is heavily involved in BCM implementations, and turn-key BCM solutions... so I'm not going to say that you "must" have a BCM consultant
  However, BCM implementation requires a different skillset from your typical Basis skillset. The most important thing is that the individual(s) implementing BCM has been trained by SAP and/or has previous experience - yes there are people out there with supurb skills that can figure anything out, and get it working... But getting the sizing, landscape and network right is extremely important so you also need access to someone with IP telephony skills/experience.
  You will also want your voice team to become comfortable with managing and administering BCM as things like maintaining skills, queues, schedules, prompts, capacity, routing, IVR, etc. usually fall in their domain.
  Hope that helps!
  Sincerely,
  Glenn
  Glenn Abel
  Covington Creative
  www.covingtoncreative.com

• Cisco IOS XE is vulnerable to CVE-2014-0160 - aka Heartbleed CSCuo19730 on Cisco 4500E IOS XE?

  Hello Experts,
  I need to find out what exact IOS XE software version on Catalyst 4507E will affect by Heartbleed.
  Cisco WS-C4507R+E
  WS-X45-SUP7-E
  Thanks in advance.

  @apieper, looking at the bug details, it doesn't look like you are affected.
  Conditions:
  Cisco IOS XE devices running release 3.11.0S, 3.11.1S or 3.12.0S and with the WebUI interface over HTTPs enabled. No other versions of Cisco IOS XE are affected.
  Devices with the WebUI interface enabled and using HTTPs as transport protocol will include the following configuration:
  transport-map type persistent webui http-webui
  secure-server
  ip http secure-server
  transport type persistent webui input http-webui
  Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPs as transport protocol are NOT AFFECTED by this vulnerability.
  Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S and with the HTTPs server enabled (by including in their configuration the line "ip http secure-server") are NOT affected. Both the HTTPs server and the WebUI interface need to be enabled for a device to be vulnerable.

• HeartBleed vulnerability on AnyConnect for iOS

  Does anyone have additional information on this vulnerability? This security post: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
  Tells us that "Cisco AnyConnect Secure Mobility Client for iOS" is an affected product, but doesn't tell us what versions are at risk.

  This build with this fix has been posted to the iTunes store.
  AnyConnect for Apple iOS 3.0.09353 is now available for download from the Apple App Store
  Resolves CSCuo17488 – AnyConnect for iOS is vulnerable to CVE-2014-0160 – Heartbleed
  Download: https://itunes.apple.com/us/app/cisco-anyconnect/id392790924
  Release notes: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3-0-iOS.html
  ** Please note the two upgrade instructions pasted below which are applicable to all upgrades of AnyConnect software on Apple iOS
  Disconnect AnyConnect connection before upgrading
  Please make sure your AnyConnect VPN is disconnected when you upgrade. Otherwise, you may fail to connect after the upgrade with the following error: ”Could not connect to VPN server, Please verify internet connectivity and server address.” This issue can be fixed by a device reboot.
  Apple iOS Connect On Demand Considerations
  To ensure proper establishment of Connect On Demand VPN tunnels after updating AnyConnect, users must manually start the AnyConnect app and establish a connection. If this is not done, upon the next iOS system attempt to establish a VPN tunnel, the error message "The VPN Connection requires an application to start up" will display.

• Does the SCCM updates manager use OpenSSL, and is it vulnerable to the Heartbleed bug?

  I'm 99.99% positive I know the answer, but my boss wants to know for SURE. Does the SCCM updates manager use OpenSSL, and is it vulnerable to the Heartbleed bug?
  Thank you for appeasing him.

  I must be misunderstanding something here. Would you please help me understand why this isn't answerable here? How does this have anything to do w/ our TAM? SCCM is SCCM regardless of where we got it, right? I'm quite perplexed, so thank you for
  clearing this up.
  My guess is liability. What if we're wrong? Very few people who frequent these forums are actual Microsoft employees.
  If you want a 'for sure' answer, you're best off contacting Microsoft directly IMHO.
  Don't retire TechNet! -
  (Don't give up yet - 12,830+ strong and growing)

• Heartbleed virus/vulnerability-I have been hearing about the "heartbleed vulnerability" and told to change all my passwords. Does this apply to Macs? I thought they could not get viruses and this was one of the reasons I got one.

  I have been hearing about the "heartbleed vulnerability" and told to change all my passwords. Does this apply to Macs? I thought they could not get viruses and this was one of the reasons I got one.

  See What is Heartbleed?
  (Fair disclosure: The Safe Mac is my site, and contains a Donate button, so I may receive compensation for providing links to The Safe Mac. Donations are not required.)

• In what scenarios can Forefront UAG be affected by the Heartbleed vulnerability?

  As I'm sure we're all aware of the Heartbleed OpenSSL vulnerability. I'm asking any Microsoft Engineers if Forefront UAG is vulnerable to the Heartbleed bug and if not what scenarios could it be vulnerable? Thanks. 

  None. UAG doesn't use OpenSSL.  IAG didn't use OpenSSL either. Whale e-Gap did use OpenSSL, but not the 1.x version.
  Here is a command to test with:
  echo -e "quit\n" | openssl s_client -connect 192.168.1.1:443 -tlsextdebug 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo safe
  Reference:http://www.css-security.com/blog/heartbleed-vulnerability-need-know/

• Heartbleed vulnerability

  I notice that adobe.com is showing up as potentially vulnerable to the so-called "Heartbleed" exploit.
  Now obviously there is a wide range of views about how serious this is, from the biggest threat ever to nothing more than over-excited journalistic scaremongering.
  However some official comment on this status and the company's observations on it would be useful.
  Many thanks in advance.
  --Richard E

  Fixed is one thing and unaffected another.
  If it is fixed then you need to change your password and it is safe to do so.
  Unaffected means there is no action required.
  Someone on the CC facebook page has asked the same question.  I would think Adobe should know by now
  Tom Petacciaposted toAdobe Creative Cloud
  April 9 near Charlotte, NC, United Stateshttps://www.facebook.com/adobecreativecloud/timeline?filter=2# 
  Are Adobe Creative Cloud accounts and Adobe accounts in general affected by the Heartbleed bug? 
  Like ·  
  Adobe Creative Cloud Hi Tom,
  Let me check with the team on this and find out for you.
  Thanks,
  BrittApril 9 at 5:45pm · Like 

• When is Apple fixing the Heartbleed TLS vulnerability?

  Its concerning that I don't see evidence of Apple's action in response to being informed of the Heartbleed TLS vulnerability.
  It allows external access to SSL keys, passwords, accounts, and etc in memory.
  I'm hoping Apple has been secretly rushing a patch and that I will see it today or tomorrow.
  Does anyone have information on Apple progress?
  Thanks,
  Rich
  PS. There should be a security category.

  No worries. Its clear. All input was very helpful.
  Apple has no fix expected.
  Apple is secure as always.
  It is one of the many reasons I use Apple laptops for development.
  (Though I wish my MacBook Pro had way more RAM like 64GB or 128GB).
  Apple is missing an opportunity, though.
  This situation is actually a perfect time for Apple to brag about its security, by identifying that Heartbleed does not affect normal Apple users, unless the access a vulnerable site. And that developers are only at risk if the open source projects pull in OpenSSL 1.0.1 or 1.0.2beta. Easy to do and great for Apple's reputation.
  Consumers would hear "Apple good" and "World scary".
  Like any dangerous event, the Heartbleed alarm in the various communities is a little bit like yelling fire in the theater and management's response after.
  People have to be sure the alarm is false or does not affect them.
  If management speaks up, the problem is over.
  If management does not, then all the individuals run around avoiding the problem or assessing the problem for themselves. The latter is less efficient and more stressful.
  I spent serveral hours figuring out where I had to look to determine the scope and risk.
  All of the answers above, were very helpfull and reduced the scope of my effort.
  Thanks for all the input.
  There was no formal statement from Apple clarifying the issue. (At least none I could find)
  In fact some of today's security announcements (3pm 4/8/14) had complained that Apple
  had not responded to emails.
  Apple is not responsible for responding to all emails.
  And not all posts, even on stack overflow, are accurate.
  But in certain scenarios, a communication event is beneficial.
  It woud have saved me hours, this community thread, the time of all who contributed here, and the time of all who read here.
  BTW: Mcafee scans sites and can assess risk while you are browsing, but the local virus detection is not as good as others.
  BTW: Has anyone checked this site for the SSL version? (joke)
  Cheers!
  Rich