https://community.extremenetworks.com/t5/faqs/response-to-quot-heartbleed-quot-cve-2014-0160-openssl/m-p/43468#M176 Article ID: 16130 <BR /> <BR /> <B>Products</B><BR /> The issue affects products which use OpenSSL 1.0.1 (March 2012) through 1.0.1f for SSL/HTTPS support.<BR /> OpenSSL 1.0.1g, released April 7 2014, resolves the vulnerability.<BR /> <BR /> Affected:<UL> <LI>Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1 </LI><LI>Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1 </LI><LI>64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0 </LI><LI>64-bit (Ubuntu) hardware-based and virtual NAC &amp; IA appliances running version 5.0, 5.1, or 6.0 </LI><LI>64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0</LI></UL><B>Discussion</B><BR /> Vulnerability notification <A href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160" target="_blank" rel="nofollow noreferrer noopener">CVE-2014-0160</A> was released on April 7 2014.<BR /> Its Overview states:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.</PRE></DIV><BR /> <BR /> The high visibility and potentially high impact of this issue has spawned many follow-up reports which are visible in a web search for "<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">heartbleed</PRE></DIV>" or "<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">CVE-2014-0160</PRE></DIV>".<BR /> <BR /> Patches have been developed to address this vulnerability across all affected products, and these will be included in subsequent GA releases. Patch availability is discussed in <A href="http://bit.ly/1n6cUcI" target="_blank" rel="nofollow noreferrer noopener">16131</A>, which addresses this issue being tracked as US-CERT Vulnerability Advisory VU#720951. Mon, 14 Apr 2014 18:09:00 GMT FAQ_User 2014-04-14T18:09:00Z https://community.extremenetworks.com/t5/faqs/response-to-quot-heartbleed-quot-cve-2014-0160-openssl/m-p/43468#M176 Article ID: 16130 <BR /> <BR /> <B>Products</B><BR /> The issue affects products which use OpenSSL 1.0.1 (March 2012) through 1.0.1f for SSL/HTTPS support.<BR /> OpenSSL 1.0.1g, released April 7 2014, resolves the vulnerability.<BR /> <BR /> Affected:<UL> <LI>Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1 </LI><LI>Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1 </LI><LI>64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0 </LI><LI>64-bit (Ubuntu) hardware-based and virtual NAC &amp; IA appliances running version 5.0, 5.1, or 6.0 </LI><LI>64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0</LI></UL><B>Discussion</B><BR /> Vulnerability notification <A href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160" target="_blank" rel="nofollow noreferrer noopener">CVE-2014-0160</A> was released on April 7 2014.<BR /> Its Overview states:<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.</PRE></DIV><BR /> <BR /> The high visibility and potentially high impact of this issue has spawned many follow-up reports which are visible in a web search for "<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">heartbleed</PRE></DIV>" or "<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">CVE-2014-0160</PRE></DIV>".<BR /> <BR /> Patches have been developed to address this vulnerability across all affected products, and these will be included in subsequent GA releases. Patch availability is discussed in <A href="http://bit.ly/1n6cUcI" target="_blank" rel="nofollow noreferrer noopener">16131</A>, which addresses this issue being tracked as US-CERT Vulnerability Advisory VU#720951. Mon, 14 Apr 2014 18:09:00 GMT https://community.extremenetworks.com/t5/faqs/response-to-quot-heartbleed-quot-cve-2014-0160-openssl/m-p/43468#M176 FAQ_User 2014-04-14T18:09:00Z