ID

VAR-201404-0592

CVE

CVE-2014-0160

TITLE

OpenSSL of heartbeat Information disclosure vulnerability in expansion

DESCRIPTION

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. OpenSSL of heartbeat An information disclosure vulnerability exists in the implementation of the extension. TLS And DTLS In communication OpenSSL The memory contents of the process executing this code may be leaked to the communication partner.An important information such as a private key may be obtained by a remote third party. An attacker can exploit these issues to gain access to sensitive information that may aid in further attacks. OpenSSL 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, and 1.0.1 are vulnerable. This bulletin will be revised when the software updates are released. vulnerability was detected in specific OpenSSL versions. vulnerability. NOTE: The .Heartbleed. A new version of the CloudSystem Foundation component is provided, specified as version 8.01. All other CloudSystem download files remain at version 8.0. The combination of these files available at the link below make up the overall CloudSystem solution. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04236102 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04236102 Version: 6 HPSBMU02995 rev.6 - HP Software HP Service Manager, Asset Manager, UCMDB Browser, UCMDB Configuration Manager, Executive Scorecard, Server Automation, Diagnostics, LoadRunner, and Performance Center, running OpenSSL, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-04-11 Last Updated: 2014-04-28 Potential Security Impact: Remote disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY The Heartbleed vulnerability was detected in specific OpenSSL versions. OpenSSL is a 3rd party product that is embedded with some of HP Software products. This bulletin objective is to notify HP Software customers about products affected by the Heartbleed vulnerability. Note: The Heartbleed vulnerability (CVE-2014-0160) is a vulnerability found in the OpenSSL product cryptographic software library product. This weakness potentially allows disclosure of information protected, under normal conditions, by the SSL/TLS protocol. References: CVE-2014-0160 (SSRT101499) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Product Impacted HP Product Versions Notes HP Service Manager v9.32, v9.33 Security bulletin HPSBGN03008: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04248997 HP Asset Manager v9.40, v9.40 CSC Security Bulletin HPSBMU03018: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260505 HP UCMDB Browser v1.x, v2.x, v3.x Security bulletin HPSBMU03019: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260353 note: APR enabled on Tomcat includes an affected OpenSSL version HP UCMDB Configuration Manager v9.1x, v9.2x, v9.3x, v10.01, v10.10 Security bulletin HPSBMU03019: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260353 HP CIT (ConnectIT) v9.52, v9.53 Security bulletin HPSBMU03017: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04260456 HP Executive Scorecard v9.40, v9.41 HP Server Automation v10.00, v10.01 Security bulletin HPSBGN03010: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04250814 HP Diagnostics v9.23, v9.23 IP1 Security bulletin HPSBMU03025 : https://h20564.www2.hp.com/portal/site/hpsc/ public/kb/docDisplay?docId=emr_na-c04267775 HP Business Process Monitor v.9.23, v.9.24 HP LoadRunner v11.52, v12.0 note: Controller/load generator communication channel HP Performance Center v11.52, v12.0 note: Controller/load generator communication channel HP Autonomy WorkSite Server v9.0 SP1 (on-premises software) Security bulletin HPSBMU02999: https://h20564.www2.hp.com/portal/site/hpsc/p ublic/kb/docDisplay/?docId=emr_na-c04239374 Impacted Versions table BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2014-0160 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP Software is working to address this vulnerability for all affected product versions. HP Software will release product specific security bulletins for each impacted product. Each bulletin will include a patch and/or mitigation guideline. HP will update this bulletin with references to security bulletins for each product in the impacted versions table. Note: OpenSSL is an external product embedded in HP products. Bulletin Applicability: This bulletin applies to each OpenSSL component that is embedded within the HP products listed in the security bulletin. The bulletin does not apply to any other 3rd party application (e.g. operating system, web server, or application server) that may be required to be installed by the customer according instructions in the product install guide. To learn more about HP Software Incident Response, please visit http://www8.h p.com/us/en/software-solutions/enterprise-software-security-center/response-c enter.html . Software updates are available from HP Software Support Online at http://support.openview.hp.com/downloads.jsp HISTORY Version:1 (rev.1) - 11 April 2014 Initial release Version:2 (rev.2) - 13 April 2014 Added HP UCMDB Configuration Manager as impacted, updated HP UCMDB Browser impacted versions Version:3 (rev.3) - 17 April 2014 Added HP Software Autonomy WorkSite Server as impacted. Added security bulletin pointers for Service Manager, Server Automation and Worksite Server Version:4 (rev.4) - 18 April 2014 Changed impacted version list for UCMDB Browser Version:5 (rev.5) - 23 April 2014 Added security bulletins pointers for HP Asset Manager, HP UCMDB Browser, HP UCMDB Configuration Manager and HP CIT (ConnectIT) Version:6 (rev.6) - 28 April 2014 Added security bulletin link for HP Diagnostics, added HP Business Process Monitor to the product list Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. HP CloudSystem Foundation v8.02 is available at the following Software Depot download location: https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber =Z7550-63210 Notes: The HP CloudSystem Foundation v8.02 also applies to HP CloudSystem Enterprise software. HP initially addressed this vulnerability by issuing update v8.01 on 30-April-2014. Customers who had downloaded a version of CloudSystem prior to this most recent update are encouraged to obtain the updated files from the Software Depot download location. HP recommends that customers with software support for HP CloudSystem Foundation or HP CloudSystem Enterprise, and have installed a version prior to v8.02, contact HP Technical Support to help determine the best method to proceed. A vulnerability has been discovered in OpenSSL library which may allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. An exploit could disclose portions of memory containing sensitive security material such as passwords and private keys. AFFECTED SOFTWARE VERSIONS AND DEVICES Device Affected software - --------------------- ------------------ Smart Cell Gateway 1.1.x SmartCell Access Points NOT AFFECTED ZoneDirector Controllers NOT AFFECTED ZoneFlex Access Points NOT AFFECTED Any products or services not mentioned in the table above are not affected DETAILS A vulnerability has been discovered in the popular OpenSSL cryptographic software library. When exploited, this issue may lead to leak of memory contents from the server to the client and from the client to the server. These memory contents could contain sensitive security material such as passwords and private keys. IMPACT Ruckus devices incorporate OpenSSL library to implement various security related features. Below is list of the affected components: - - Administrative HTTPS Interface (Port 8443) CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) WORKAROUNDS Ruckus recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following suggestions might help reduce the risk: - Do not expose administrative interfaces of Ruckus devices to untrusted networks such as the Internet. - Use a firewall to limit traffic to/from Ruckus device's administrative interface to trusted hosts. SOLUTION Ruckus recommends that all customers apply the appropriate patch(es) as soon as practical. The following software builds have the fix (any later builds will also have the fix): Branch Software Build - ------- ------------------ 1.1.x 1.1.2.0.142 DISCOVERY This vulnerability was disclosed online on various sources : - - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 - - https://www.openssl.org/news/secadv_20140407.txt - - http://heartbleed.com/ OBTAINING FIXED FIRMWARE Ruckus customers can contact Ruckus support to obtain the fixed firmware Ruckus Support contact list is at: https://support.ruckuswireless.com/contact-us PUBLIC ANNOUNCEMENTS This security advisory will be made available for public consumption on April 14, 2014 at the following source Ruckus Website http://www.ruckuswireless.com/security SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 Future updates of this advisory, if any, will be placed on Ruckus's website, but may or may not be actively announced on mailing lists. REVISION HISTORY Revision 1.0 / 14th April 2014 / Initial release RUCKUS WIRELESS SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Ruckus Wireless products, obtaining assistance with security incidents is available at http://www.ruckuswireless.com/security For reporting new security issues, email can be sent to security(at)ruckuswireless.com For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.ruckuswireless.com/security STATUS OF THIS NOTICE: Final Although Ruckus cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Ruckus does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Ruckus may update this advisory. (c) Copyright 2014 by Ruckus Wireless This advisory may be redistributed freely after the public release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CA20140413-01: Security Notice for OpenSSL Heartbleed Vulnerability Issued: April 13, 2014 Updated: May 12, 2014 CA Technologies is investigating an OpenSSL vulnerability, referred to as the "Heartbleed bug" that was publicly disclosed on April 7, 2014. CVE identifier CVE-2014-0160 has been assigned to this vulnerability. CA Technologies has confirmed that the majority of our product portfolio is unaffected. There are, however, several products that used vulnerable versions of OpenSSL 1.0.1 and consequently may be affected. CA Technologies will update this security notice as additional information becomes available. Risk Rating High These products may be affected CA ARCserve D2D for Windows 16.5 CA ARCserve D2D for Linux 16.5, 16.5SP1 CA ARCserve High Availability 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800) CA ARCserve Replication 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800) CA ARCserve Unified Data Protection (Release Candidate) CA ecoMeter 3.1.1, 3.1.2, 4.0.00, 4.0.01, 4.0.02, 4.1.00, 4.1.01, 4.2.00 CA eHealth 6.3.0.05 thru 6.3.2.04 (all platforms affected) CA Layer 7 API Gateway 8.1 (installed but not used by default) CA Layer 7 API Portal 2.6 CA Layer 7 Mobile Access Gateway 8.1 (installed but not used by default) CA Mobile Device Management 2014 Q1 CA XCOM Data Transport - Only the Windows 64-bit XCOM application is affected. Note: At this time, no other CA Technologies products have been identified as potentially vulnerable. Solution CA ARCserve D2D for Windows 16.5: Apply fix RO69431. CA ARCserve D2D for Linux 16.5 and 16.5SP1: Apply fix RO69417. Note that r16.5 SP1 is a prerequisite for this fix. CA ARCserve High Availability 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800): Apply Service Pack 2 (build 3800), which includes the fix for the OpenSSL Heartbleed vulnerability: RI69547. CA ARCserve Replication 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800): Apply Service Pack 2 (build 3800), which includes the fix for the OpenSSL Heartbleed vulnerability: RI69547. CA ARCserve Unified Data Protection (Release Candidate): CA expects to provide a solution with the GA release on May 14, 2014 CA ecoMeter 3.1.1, 3.1.2: These versions of CA ecoMeter use eHealth as the data collection platform. Apply the appropriate fix listed below. Important note: Do not apply this patch to CA eHealth releases prior to 6.3.0.05 and/or systems utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69554 Linux: RO69556 Solaris: RO69555 CA ecoMeter 4.0.00, 4.0.01, 4.0.02, 4.1.00, 4.1.01, 4.2.00: These versions of CA ecoMeter use eHealth as the data collection platform. Apply the appropriate fix listed below. Important note: The current CA eHealth / CA SiteMinder integration is not compatible with release 6.3.1.02 thru 6.3.2.04. Do not apply this patch to CA eHealth released prior to 6.3.1.02 and/or system utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69442 Linux: RO69443 Solaris: RO69444 CA eHealth 6.3.0.05 - 6.3.1.01 (all platforms): Apply the appropriate fix listed below. Important note: Do not apply this patch to CA eHealth releases prior to 6.3.0.05 and/or systems utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69554 Linux: RO69556 Solaris: RO69555 CA eHealth 6.3.1.02 - 6.3.2.04 (all platforms): Apply the appropriate fix listed below. Important note: The current CA eHealth / CA SiteMinder integration is not compatible with release 6.3.1.02 thru 6.3.2.04. Do not apply this patch to CA eHealth released prior to 6.3.1.02 and/or system utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69442 Linux: RO69443 Solaris: RO69444 CA Layer 7 API Gateway 8.1: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Layer 7 API Portal 2.6: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Layer 7 Mobile Access Gateway 8.1: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Mobile Device Management 2014 Q1: Apply Hotfix 1: CA MDM 2014Q1 Hotfix 1 CA XCOM Data Transport (only Windows 64-bit platform is affected): Solution RO69230 was published on April 11, 2014 Workaround None References CVE-2014-0160 - OpenSSL Heartbleed vulnerability Change History v1.0: 2014-04-13, Initial Release v1.1: 2014-04-14, Updated Layer 7 affected products and solution. v1.2: 2014-04-14, Updated XCOM Data Transport affected product info. v1.3: 2014-04-19, Modified affected versions for ARCserve D2D for Windows, ARCserve High Availability, ARCserve Replication, eHealth. Added ecoMeter to affected products. Modified solutions for ARCserve D2D for Windows, ARCserve D2D for Linux, ARCserve High Availability, ARCserve Replication, eHealth. Added ecoMeter 3.x and 4.x solution information. Added fixes for eHealth 6.3.1.02 – 6.3.2.04, and ecoMeter 4.x. v1.4: 2014-04-24, Modified ARCserve RHA affected versions. Added solutions for ARCserve D2D (Windows and Linux), ARCserve RHA, ecoMeter, eHealth. v1.5: 2014-05-12, Added fix for MDM. Fixes are now available for all potentially affected CA products. If additional information is required, please contact CA Technologies Support at https://support.ca.com/ . If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com . PGP key: support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Ken Williams Director, Product Vulnerability Response Team CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com Ken.Williams@ca.com | vuln@ca.com Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.2 (Build 15238) Charset: utf-8 wj8DBQFTdhtEeSWR3+KUGYURAqHSAJ9DSbzijtuMxwyes6kJ21iJwHkXVQCZARiM GEWBqKGKzMXNkvtf/sUGm1Q= =C6WK -----END PGP SIGNATURE----- . References: CVE-2009-3555 Unauthorized Modification CVE-2014-0160 Heartbleed - Disclosure of Information CVE-2014-0195 Remote Code Execution, Denial of Service (DoS) CVE-2014-3505 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3506 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3507 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3508 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3509 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3510 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3511 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3512 Heartbleed - Remote Denial of Service (DoS) CVE-2014-3566 POODLE - Remote Disclosure of Information CVE-2014-5139 Shellshock - Remote Denial of Service (DoS) SSRT101846 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Note: OpenSSL has been updated 1.0.1g in these updates

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

network

TYPE

Design Error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES