OpenSSL vulnerability 6 Aug 2014

Similar Messages

• OpenSSL vulnerability CVE-2014-0224

  My customer want to know whether ASE is affected by the following OpenSSL vulnerability in http://www.openssl.org/news/secadv_20140605.txt
        SSL/TLS MITM vulnerability (CVE-2014-0224),
        DTLS recursion flaw (CVE-2014-0221)
        DTLS invalid fragment vulnerability (CVE-2014-0195)
        SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
        SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
        Anonymous ECDH denial of service (CVE-2014-3470)
  Can you help me to confirm the above question?

  You have clearly double posted this question in two groups.
  So the first question goes back to you.
  Are you Running SAP Applications on ASE, if so this is not the proper group?

• SAP BCM 6 +7 // OpenSSL vulnerability "Heartbleed"

  Hi All,
  Information on SAP BCM and Heartbleed:
  The Heartbleed vulnerability in OpenSSL (CVE-2014-0160) has received a significant amount of attention recently. While the discovered issue is specific to OpenSSL, customers might be wondering whether this affects SAP BCM product.
  SAP BCM is not using OpenSSL and thus is not affected by the OpenSSL vulnerability. All versions of SAP BCM are using Windows’ implementation of SSL/TLS (called Secure Channel, a.k.a. SChannel) which is not impacted.
  Regards,
  Jukka
  SAP BCM Team

  Hi Harish,
  First of all - a disclaimer... I am a BCM consultant, and my company is heavily involved in BCM implementations, and turn-key BCM solutions... so I'm not going to say that you "must" have a BCM consultant
  However, BCM implementation requires a different skillset from your typical Basis skillset. The most important thing is that the individual(s) implementing BCM has been trained by SAP and/or has previous experience - yes there are people out there with supurb skills that can figure anything out, and get it working... But getting the sizing, landscape and network right is extremely important so you also need access to someone with IP telephony skills/experience.
  You will also want your voice team to become comfortable with managing and administering BCM as things like maintaining skills, queues, schedules, prompts, capacity, routing, IVR, etc. usually fall in their domain.
  Hope that helps!
  Sincerely,
  Glenn
  Glenn Abel
  Covington Creative
  www.covingtoncreative.com

• SQL Azure Data Sync stuck in Processing State since 16 Aug 2014

  Hi,
  I've a sync group stuck in "processing" state since 16 Aug 2014, have tried to restart the client PC, restarted the sync service and also tried to regenerate the sync agent key, but still in vain. Would anyone please help me to figure it out what's
  the problem? As I have many sync groups running without any problem for more than a year and encountered this problem recently (in this 3 months). 
  Here's the sync group details:
  Sync Group Name
  ew_sync_a037
  LAST SYNC
  8/16/2014 9:17:37 PM
  Sync Group ID
  15a3a3c5-f867-4ba4-b7af-92fb5c8d36a6_East Asia
  Location
  East Asia
  Subscription Name
  Pay-As-You-Go
  Subscription ID
  f979186d-23f7-45e3-8d5e-c14c89c56a7f
  Conflict Resolution
  Client Wins
  Thanks for your help.
  Best regards,
  Michael Yung

  Hi Michael,
  Thanks for you posting the subscription ID and Sync Group ID. The Microsoft support engineer will help to solve the problem from backend. Sometime delay might be expected. Your patience is greatly appreciated. Thank you for your understanding and support.
  Regards,
  Charlie Liao
  TechNet Community Support

• Can't open Mini Bridge because the Extensions are not supported in PS CC Aug 2014

  OS X 10.9.4 Ps CC Aug 2014. There's File > Browse with Bridge and no File > Browse with Mini Bridge chance. Neither can I open Mini Bridge from the Extensions panel, because Window > Extensions (not active). Adobe Extensions Manager CC is blind. HELP please

  To my knowledge mini bridge is no longer supported.
  You can run the full version of bridge which would be running anyway for mini bridge to work, then use that to view or open files.

• My Creative Cloud says "Start Trial" for PS, ID, AI, DW. Why? All I did was update these apps. I have a paid subscription since Aug 2014.

  My Creative Cloud says "Start Trial" for PS, ID, AI, DW. Why? All I did was update these apps. I have a paid subscription since Aug 2014.

  Log out of your Cloud account... Restart your computer... Log in to your paid Cloud account
  -Sign in help http://helpx.adobe.com/x-productkb/policy-pricing/account-password-sign-faq.html
  or
  A chat session where an agent may remotely look inside your computer may help
  Creative Cloud chat support (all Creative Cloud customer service issues)
  http://helpx.adobe.com/x-productkb/global/service-ccm.html

• [SOLVED] new openssl vulnerability

  I wasn't sure where to put this, but didn't see an official roll of the patched non vulnerable version of openssl except the one in testing, anyone know if one is in the works or should we start patching/compiling/downgrading?
  CVE-2014-0160
  http://heartbleed.com/
  http://web.nvd.nist.gov/view/vuln/detai … -2014-0160
  Last edited by gnarliprime (2014-04-08 03:59:19)

  Posted for info only. Please feel free to move it if it's more appropriate somewhere else:
  Email received today (and yes, it's verified as correct)
  here are news [1] about a bug in OpenSSL that may allow an attacker to
  leak arbitrary information from any process using OpenSSL. [2]
  We contacted you, because you have subscribed to get general announcements,
  or you have had a server certificate since the bug was introduced into the
  OpenSSL releases and are especially likely to be affected by it.
  CAcert is not responsible for this issue. But we want to inform members
  about it, who are especially likely to be vulnerable or otherwise affected.
  Good news:
  ==========
  Certificates issued by CAcert are not broken and our central systems did
  not leak your keys.
  Bad news:
  =========
  Even then you may be affected.
  Although your keys were not leaked by CAcert your keys on your own systems
  might have been compromised if you were or are running a vulnerable version
  of OpenSSL.
  To elaborate on this:
  =====================
  The central systems of CAcert and our root certificates are not affected by
  this issue. Regrettably some of our infrastructure systems were affected by
  the bug. We are working to fix them and already completed work for the most
  critical ones. If you logged into those systems, within the last two years,
  (see list in the blog post) you might be affected!
  But unfortunately given the nature of this bug we have to assume that the
  certificates of our members may be affected, if they were used in an
  environment with a publicly accessible OpenSSL connection (e.g. Apache web
  server, mail server, Jabber server, ...). The bug has been open in OpenSSL
  for two years - from December 2011 and was introduced in stable releases
  starting with OpenSSL 1.0.1.
  When an attacker can reach a vulnerable service he can abuse the TLS
  heartbeat extension to retrieve arbitrary chunks of memory by exploiting a
  missing bounds check. This can lead to disclosure of your private keys,
  resident session keys and other key material as well as all volatile
  memory contents of the server process like passwords, transmitted user data
  (e.g. web content) as well as other potentially confidential information.
  Exploiting this bug does not leave any noticeable traces, thus for any
  system which is (or has been) running a vulnerable version of OpenSSL you
  must assume that at least your used server keys are compromised and
  therefore must be replaced by newly generated ones. Simply renewing
  existing certificates is not sufficient! - Please generate NEW keys with at
  least 2048 bit RSA or stronger!
  As mentioned above this bug can be used to leak passwords and thus you
  should consider changing your login credentials to potentially compromised
  systems as well as any other system where those credentials might have been
  used as soon as possible.
  An (incomplete) list of commonly used software which include or link to
  OpenSSL can be found at [5].
  What to do?
  ===========
  - Ensure that you upgrade your system to a fixed OpenSSL version (1.0.1g or
  above).
  - Only then create new keys for your certificates.
  - Revoke all certificates, which may be affected.
  - Check what services you have used that may have been affected within the
  last two years.
  - Wait until you think that those environments got fixed.
  - Then (and only then) change your credentials for those services. If you
  do it too early, i.e. before the sites got fixed, your data may be leaked,
  again. So be careful when you do this.
  CAcert's response to the bug:
  =============================
  - We updated most of the affected infrastructure systems and created new
  certificates for them. The remaining will follow, soon.
  - We used this opportunity to upgrade to 4096 bit RSA keys signed with
  SHA-512. The new fingerprints can be found in the list in the blog post.
  - With this email we contact all members, who had active server
  certificates within the last two years.
  - We will keep you updated, in the blog.
  A list of affected and fixed infrastructure systems and new information can
  be found at:

• Cisco Security Manager is vulnerable to CVE-2014-0160 - aka Heartbleed

  Dear All,
                We have CSM 4.4.0 SP2 patch 1 installed with no default configuration.
  According to cisco, CSM is under Vulnerable Products list with cisco bug ID CSCuo19265. 
  Do I need to take any action for my CSM ?
  Thanks & Regards
  Ahmed...

  Im not sure if that's true. the release notes don't state anything about fixing that big. and also looking at the opensource licenses PDF for 4.6.0 it states OpenSSL version: 1.0.1e (which is the same version as 4.5.0 and all versions 1a through 1f are vulnerable).
  I would find it very odd they didn't fix it considering it was released just yesterday.

• Android 4.1.1 and New Bug (OpenSSL Vulnerability)

  I have updated my device to 4.1.1 recently which seems is the only version of android that would be affected by this bug.
  http://www.bloomberg.com/news/2014-04-11/millions-of-android-devices-vulnerable-to-heartbleed-bug.ht...
  Is there another update for my device to fix it?

  Hi SonyTab,
  Please provide us the exact model name of your unit so we can check the specifications and provide accurate solutions. You can use this guide to determine the exact model name. Thanks!

• Openssl vulnerability -- Adobe Connect 8.2

  What is the supported patch / fix for Adobe Connect 8.2 and Openssl vulnerabilities discovered over the last few months?  I'm assuming it is due to an old stunnel implementation.
  The remote service accepted an SSL ChangeCipherSpec message at an incorrect point in the handshake 
leading to weak keys being used, and then attempted to decrypt an SSL record using those weak keys.
  CVE-2010-5298

  CVE-2014-0076

  CVE-2014-0195
  
CVE-2014-0198

  CVE-2014-0221
  
CVE-2014-0224
  CVE-2014-3470

  You should go and download the Stunnel application and replace the version included with Connect 8.2. stunnel: Downloads
  So you are aware, Connect 9 and newer installers no longer come with Stunnel, So you will need to go to Stunnel's site to download the latest version when upgrading (unless you are already on the latest version).

• Bash vulnerability bash CVE-2014-6271 on Cisco devices

  Hi, all,
  Anybody know whether any Cisco devices are vulnerable to  recent bash CVE-2014-6271? I am especially concerned about ASA which opens https to the public.
  Thanks,

  Have a look here: 
  http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_Bash_09252014.html
  and here:
  http://tools.cisco.com/security/center/mcontent/CiscoSecurityAdvisory/cisco-sa-20140926-bash
  Under affected products. 

• Cisco IOS XE is vulnerable to CVE-2014-0160 - aka Heartbleed CSCuo19730 on Cisco 4500E IOS XE?

  Hello Experts,
  I need to find out what exact IOS XE software version on Catalyst 4507E will affect by Heartbleed.
  Cisco WS-C4507R+E
  WS-X45-SUP7-E
  Thanks in advance.

  @apieper, looking at the bug details, it doesn't look like you are affected.
  Conditions:
  Cisco IOS XE devices running release 3.11.0S, 3.11.1S or 3.12.0S and with the WebUI interface over HTTPs enabled. No other versions of Cisco IOS XE are affected.
  Devices with the WebUI interface enabled and using HTTPs as transport protocol will include the following configuration:
  transport-map type persistent webui http-webui
  secure-server
  ip http secure-server
  transport type persistent webui input http-webui
  Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPs as transport protocol are NOT AFFECTED by this vulnerability.
  Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S and with the HTTPs server enabled (by including in their configuration the line "ip http secure-server") are NOT affected. Both the HTTPs server and the WebUI interface need to be enabled for a device to be vulnerable.

• Extension panel in Ps CC aug 2014 is unavailable! No extensions support. Please help

  How can i manage? I have no extensions support and extension function faded out in WINDOW->pop-up list in my PS CC (using Ps Lr Plan in CC, OS X 10.9.4). The latest Adobe Extension Manager neither recognizes any extensions or programms (the list is empty).

  Good day!
  Which Panels are you talking about exactly?
  If it’s Flash Panels you can forget them for CC 2014 as Flash support has been dropped; but one can create custom Panels in html5 now.
  Regards,
  Pfaffenbichler

• Is RTMPS affected by the Heartbleed bug?

  Or any component for using RTMPS? For example: Adobe Media Server, Flash Player (on Windows, Mac, etc.)?
  Please let me know.
  Thanks.

  Hi Namita,
  I just found this thread : OpenSSL vulnerability 6 Aug 2014 from August and it says AMS 5.0.6 has the fix for the bug. So other versions 5.0.1 through 5.0.5 are affected by the bug?
  Could you please clarify?
  Thanks a bunch.

• High Risk on DMP 4400 and 4310 "OpenSSL MITM CVE-2014-0224"

  I cannot find a patch to fix the problem - is there a fix or should I create a TAC case?
  DMM version - 5.3.0
  4310 and 4400 - version 5.4.1

  Here is what I received for the Dell Response to Openssl vulnerability. 
  After a couple of calls to technical support here is what I'm getting for my iDRAC7 getting flagged by Foundstone security scans for the vulnerability CVE-2014-0224:
  " The OPEN SSL package used here contains multiple components, the component that is impacted and vulnerable is not being used, other components in this package are being used but aren't vulnerable".
  "Dell has determined that the products listed in the attached document are not affected by the vulnerabilities.  Some products have leveraged an older (but not vulnerable) OpenSSL module.  These could be flagged by a scanner.  Dell is currently working on updating the modules to a version that will not be flagged for these issues".
  I've also attempted to upload the document, hopefully it can be viewed or downloaded.
  If this post has helped you please rate it. 
  Thanks
  2376.Dell-ResponseOpenSSLSecurityAdvisory_05_June_2014_final.pdf