ID

VAR-201404-0592

CVE

CVE-2014-0160

TITLE

OpenSSL TLS heartbeat extension read overflow discloses sensitive information

DESCRIPTION

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. OpenSSL 1.0.1 and 1.0.2 beta contain a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed.". LibYAML is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly sanitize user-supplied input. Successful exploits allow remote attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts likely result in denial-of-service conditions. Versions prior to LibYAML 0.1.6 are vulnerable. Ruby on Rails is prone to a denial-of-service vulnerability. Exploiting this issue allows remote attackers to trigger denial-of-service conditions due to excessive CPU consumption. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CA20140413-01: Security Notice for OpenSSL Heartbleed Vulnerability Issued: April 13, 2014 Updated: May 12, 2014 CA Technologies is investigating an OpenSSL vulnerability, referred to as the "Heartbleed bug" that was publicly disclosed on April 7, 2014. CVE identifier CVE-2014-0160 has been assigned to this vulnerability. CA Technologies has confirmed that the majority of our product portfolio is unaffected. There are, however, several products that used vulnerable versions of OpenSSL 1.0.1 and consequently may be affected. CA Technologies will update this security notice as additional information becomes available. Risk Rating High These products may be affected CA ARCserve D2D for Windows 16.5 CA ARCserve D2D for Linux 16.5, 16.5SP1 CA ARCserve High Availability 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800) CA ARCserve Replication 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800) CA ARCserve Unified Data Protection (Release Candidate) CA ecoMeter 3.1.1, 3.1.2, 4.0.00, 4.0.01, 4.0.02, 4.1.00, 4.1.01, 4.2.00 CA eHealth 6.3.0.05 thru 6.3.2.04 (all platforms affected) CA Layer 7 API Gateway 8.1 (installed but not used by default) CA Layer 7 API Portal 2.6 CA Layer 7 Mobile Access Gateway 8.1 (installed but not used by default) CA Mobile Device Management 2014 Q1 CA XCOM Data Transport - Only the Windows 64-bit XCOM application is affected. Note: At this time, no other CA Technologies products have been identified as potentially vulnerable. Solution CA ARCserve D2D for Windows 16.5: Apply fix RO69431. CA ARCserve D2D for Linux 16.5 and 16.5SP1: Apply fix RO69417. Note that r16.5 SP1 is a prerequisite for this fix. CA ARCserve High Availability 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800): Apply Service Pack 2 (build 3800), which includes the fix for the OpenSSL Heartbleed vulnerability: RI69547. CA ARCserve Replication 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800): Apply Service Pack 2 (build 3800), which includes the fix for the OpenSSL Heartbleed vulnerability: RI69547. CA ARCserve Unified Data Protection (Release Candidate): CA expects to provide a solution with the GA release on May 14, 2014 CA ecoMeter 3.1.1, 3.1.2: These versions of CA ecoMeter use eHealth as the data collection platform. Apply the appropriate fix listed below. Important note: Do not apply this patch to CA eHealth releases prior to 6.3.0.05 and/or systems utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69554 Linux: RO69556 Solaris: RO69555 CA ecoMeter 4.0.00, 4.0.01, 4.0.02, 4.1.00, 4.1.01, 4.2.00: These versions of CA ecoMeter use eHealth as the data collection platform. Apply the appropriate fix listed below. Important note: The current CA eHealth / CA SiteMinder integration is not compatible with release 6.3.1.02 thru 6.3.2.04. Do not apply this patch to CA eHealth released prior to 6.3.1.02 and/or system utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69442 Linux: RO69443 Solaris: RO69444 CA eHealth 6.3.0.05 - 6.3.1.01 (all platforms): Apply the appropriate fix listed below. Important note: Do not apply this patch to CA eHealth releases prior to 6.3.0.05 and/or systems utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69554 Linux: RO69556 Solaris: RO69555 CA eHealth 6.3.1.02 - 6.3.2.04 (all platforms): Apply the appropriate fix listed below. Important note: The current CA eHealth / CA SiteMinder integration is not compatible with release 6.3.1.02 thru 6.3.2.04. Do not apply this patch to CA eHealth released prior to 6.3.1.02 and/or system utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69442 Linux: RO69443 Solaris: RO69444 CA Layer 7 API Gateway 8.1: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Layer 7 API Portal 2.6: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Layer 7 Mobile Access Gateway 8.1: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Mobile Device Management 2014 Q1: Apply Hotfix 1: CA MDM 2014Q1 Hotfix 1 CA XCOM Data Transport (only Windows 64-bit platform is affected): Solution RO69230 was published on April 11, 2014 Workaround None References CVE-2014-0160 - OpenSSL Heartbleed vulnerability Change History v1.0: 2014-04-13, Initial Release v1.1: 2014-04-14, Updated Layer 7 affected products and solution. v1.2: 2014-04-14, Updated XCOM Data Transport affected product info. v1.3: 2014-04-19, Modified affected versions for ARCserve D2D for Windows, ARCserve High Availability, ARCserve Replication, eHealth. Added ecoMeter to affected products. Modified solutions for ARCserve D2D for Windows, ARCserve D2D for Linux, ARCserve High Availability, ARCserve Replication, eHealth. Added ecoMeter 3.x and 4.x solution information. Added fixes for eHealth 6.3.1.02 – 6.3.2.04, and ecoMeter 4.x. v1.4: 2014-04-24, Modified ARCserve RHA affected versions. Added solutions for ARCserve D2D (Windows and Linux), ARCserve RHA, ecoMeter, eHealth. v1.5: 2014-05-12, Added fix for MDM. Fixes are now available for all potentially affected CA products. If additional information is required, please contact CA Technologies Support at https://support.ca.com/ . If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com . PGP key: support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Ken Williams Director, Product Vulnerability Response Team CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com Ken.Williams@ca.com | vuln@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wj8DBQFTdhtEeSWR3+KUGYURAqHSAJ9DSbzijtuMxwyes6kJ21iJwHkXVQCZARiM GEWBqKGKzMXNkvtf/sUGm1Q= =C6WK -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04236102 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04236102 Version: 8 HPSBMU02995 rev.8 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-11 Last Updated: 2014-05-22 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY The Heartbleed vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. Note: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. References: CVE-2014-0160 (SSRT101499) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Product Impacted HP Product Versions Notes HP Service Manager v9.32, v9.33 Security bulletin HPSBGN03008: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04248997 HP Asset Manager v9.40, v9.40 CSC Security Bulletin HPSBMU03018: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260505 HP UCMDB Browser v1.x, v2.x, v3.x Security bulletin HPSBMU03019: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260353 note: APR enabled on Tomcat includes an affected OpenSSL version HP UCMDB Configuration Manager v9.1x, v9.2x, v9.3x, v10.01, v10.10 Security bulletin HPSBMU03019: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260353 HP CIT (ConnectIT) v9.52, v9.53 Security bulletin HPSBMU03017: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260456 HP Executive Scorecard v9.40, v9.41 HP Server Automation v10.00, v10.01 Security bulletin HPSBGN03010: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04250814 HP Diagnostics v9.23, v9.23 IP1 Security bulletin HPSBMU03025 : https://h20564.www2.hp.com/portal/site/hpsc/ public/kb/docDisplay?docId=emr_na-c04267775 HP Business Process Monitor v.9.23, v.9.24 Security bulletin HPSBMU03044: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay?docId=emr_na-c04307186 HP LoadRunner v11.52, v12.0 Security bulletin HPSBMU03040: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay?docId=emr_na-c04286049 HP Performance Center v11.52, v12.0 Security bulletin HPSBMU03040: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay?docId=emr_na-c04286049 HP Autonomy WorkSite Server v9.0 SP1 (on-premises software) Security bulletin HPSBMU02999: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04239374 Impacted Versions table BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP Software is working to address this vulnerability for all affected product versions. HP Software will release product specific security bulletins for each impacted product. Each bulletin will include a patch and/or mitigation guideline. HP will update this bulletin with references to security bulletins for each product in the impacted versions table. Note: OpenSSL is an external product embedded in HP products. Bulletin Applicability: This bulletin applies to each OpenSSL component that is embedded within the HP products listed in the security bulletin. The bulletin does not apply to any other 3rd party application (e.g. operating system, web server, or application server) that may be required to be installed by the customer according instructions in the product install guide. To learn more about HP Software Incident Response, please visit http://www8.h p.com/us/en/software-solutions/enterprise-software-security-center/response-c enter.html . Software updates are available from HP Software Support Online at http://support.openview.hp.com/downloads.jsp HISTORY Version:1 (rev.1) - 11 April 2014 Initial release Version:2 (rev.2) - 13 April 2014 Added HP UCMDB Configuration Manager as impacted, updated HP UCMDB Browser impacted versions Version:3 (rev.3) - 17 April 2014 Added HP Software Autonomy WorkSite Server as impacted. Added security bulletin pointers for Service Manager, Server Automation and Worksite Server Version:4 (rev.4) - 18 April 2014 Changed impacted version list for UCMDB Browser Version:5 (rev.5) - 23 April 2014 Added security bulletins pointers for HP Asset Manager, HP UCMDB Browser, HP UCMDB Configuration Manager and HP CIT (ConnectIT) Version:6 (rev.6) - 28 April 2014 Added security bulletin link for HP Diagnostics, added HP Business Process Monitor to the product list Version:7 (rev.7) - 14 May 2014 Added links to security bulletin for LoadRunner and Performance Center Version:8 (rev.8) - 22 May 2014 Added link to security bulletin for Business Process Monitor 9.23, 9.24 Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. HP CloudSystem Foundation v8.02 is available at the following Software Depot download location: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =Z7550-63210 Notes: The HP CloudSystem Foundation v8.02 also applies to HP CloudSystem Enterprise software. HP initially addressed this vulnerability by issuing update v8.01 on 30-April-2014. All other HP CloudSystem Foundation and HP CloudSystem Enterprise software download files remain at version 8.0. The combination of these files available at the link above makes up the overall CloudSystem solution. Customers who had downloaded a version of CloudSystem prior to this most recent update are encouraged to obtain the updated files from the Software Depot download location. HP recommends that customers with software support for HP CloudSystem Foundation or HP CloudSystem Enterprise, and have installed a version prior to v8.02, contact HP Technical Support to help determine the best method to proceed. A vulnerability has been discovered in OpenSSL library which may allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. AFFECTED SOFTWARE VERSIONS AND DEVICES Device Affected software - --------------------- ------------------ Smart Cell Gateway 1.1.x SmartCell Access Points NOT AFFECTED ZoneDirector Controllers NOT AFFECTED ZoneFlex Access Points NOT AFFECTED Any products or services not mentioned in the table above are not affected DETAILS A vulnerability has been discovered in the popular OpenSSL cryptographic software library. This weakness exists in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). This vulnerability is due to a missing bounds check in implementation of the handling of the heartbeat extension. When exploited, this issue may lead to leak of memory contents from the server to the client and from the client to the server. IMPACT Ruckus devices incorporate OpenSSL library to implement various security related features. Below is list of the affected components: - - Administrative HTTPS Interface (Port 8443) CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) WORKAROUNDS Ruckus recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following suggestions might help reduce the risk: - Do not expose administrative interfaces of Ruckus devices to untrusted networks such as the Internet. - Use a firewall to limit traffic to/from Ruckus device's administrative interface to trusted hosts. SOLUTION Ruckus recommends that all customers apply the appropriate patch(es) as soon as practical. The following software builds have the fix (any later builds will also have the fix): Branch Software Build - ------- ------------------ 1.1.x 1.1.2.0.142 DISCOVERY This vulnerability was disclosed online on various sources : - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 - - https://www.openssl.org/news/secadv_20140407.txt - - http://heartbleed.com/ OBTAINING FIXED FIRMWARE Ruckus customers can contact Ruckus support to obtain the fixed firmware Ruckus Support contact list is at: https://support.ruckuswireless.com/contact-us PUBLIC ANNOUNCEMENTS This security advisory will be made available for public consumption on April 14, 2014 at the following source Ruckus Website http://www.ruckuswireless.com/security SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 Future updates of this advisory, if any, will be placed on Ruckus's website, but may or may not be actively announced on mailing lists. REVISION HISTORY Revision 1.0 / 14th April 2014 / Initial release RUCKUS WIRELESS SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Ruckus Wireless products, obtaining assistance with security incidents is available at http://www.ruckuswireless.com/security For reporting new security issues, email can be sent to security(at)ruckuswireless.com For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.ruckuswireless.com/security STATUS OF THIS NOTICE: Final Although Ruckus cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Ruckus does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Ruckus may update this advisory. (c) Copyright 2014 by Ruckus Wireless This advisory may be redistributed freely after the public release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. Until the software update is available, HP recommends limiting 3PAR OS Management Tools to use only on a secure and isolated private management network. HP has made Onboard Administrator (OA) v4.12 available to resolve the vulnerability here: 1) Go to: http://www.hp.com/go/oa 2) Click "Onboard Administrator Firmware" 3) Select "HP BLc3000 Onboard Administrator Option" or "HP BLc7000 Onboard Administrator Option" 4) Select an appropriate operating system from the list of choices 5) On the page, find Firmware 4.12 for download Notes Customers running OA v4.20 also have the option to downgrade OA firmware to OA v4.12 if that meets the requisite Hardware/feature support for the enclosure configuration. No action is required unless the OA is running the firmware versions explicitly listed as vulnerable. HP StoreEver ESL G3 Tape Libraries with MCB rev 2 OpenSSL version1.0.1f for the following firmware versions: 671H_GS00601 665H_GS12501 663H_GS04601 HP StoreEver ESL G3 Tape Libraries with MCB rev 1 Open SSL version 1.0.1e in 655H firmware versions: 655H_GS10201 HP StoreEver Enterprise Library LTO-6 Tape Drives: all firmware versions. This bulletin will be revised when the software updates are released. HP recommends the following mitigation or workaround that can reduce the likelihood of an attacker being able to exploit the "Heartbleed" vulnerability for the HP StoreEver ESL G3 Tape Library and the StoreEver Enterprise Library LTO-6 Tape Drives: The following configuration options that allow access to the Heartbeat function in the vulnerable versions of OpenSSL are not enabled by default. Verify that the following options are "disabled" using the Tape Library GUI: Secure SMI-S CVTL User Note: disabling these features blocks the vulnerable OpenSSL function in both the ESL G3 Tape Library and the StoreEver Enterprise Library LTO-6 Tape Drives. The basic functionality of the library is not affected by these configuration changes and SSL access to the user interface is not blocked by these settings. References: CVE-2009-3555 Unauthorized Modification CVE-2014-0160 Heartbleed - Disclosure of Information CVE-2014-0195 Remote Code Execution, Denial of Service (DoS) CVE-2014-3505 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3506 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3507 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3508 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3509 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3510 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3511 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3512 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3566 POODLE - Remote Disclosure of Information CVE-2014-5139 Shellshock - Remote Denial of Service (DoS) SSRT101846 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

Input Validation Error

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES