https://community.extremenetworks.com/t5/faqs/extreme-networks-response-to-us-cert-vulnerability-advisory-vu/m-p/45258#M306 Article ID: 16131 <BR /> <BR /> <B>Products</B><BR /> Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1<BR /> Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1<BR /> 64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0<BR /> 64-bit (Ubuntu) hardware-based and virtual NAC &amp; IA appliances running version 5.0, 5.1, or 6.0<BR /> 64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0<BR /> <BR /> <B>Discussion</B><BR /> On April 7 2014, US-CERT issued advisory <A href="http://www.kb.cert.org/vuls/id/720951" target="_blank" rel="nofollow noreferrer noopener"></A><PRE><A href="http://www.kb.cert.org/vuls/id/720951" target="_blank" rel="nofollow noreferrer noopener">720951</A></PRE>.<BR /> (This issue is also tracked as <A href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160" target="_blank" rel="nofollow noreferrer noopener"></A><PRE><A href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160" target="_blank" rel="nofollow noreferrer noopener">CVE-2014-0160</A></PRE>, and discussed in <A href="http://bit.ly/1t03AZw" target="_blank" rel="nofollow noreferrer noopener">16130</A>.)<BR /> <BR /> The advisory overview...<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."</PRE></DIV><BR /> <BR /> The advisory impact...<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.</PRE></DIV><BR /> <BR /> The advisory lists a number of affected vendors, including <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Extreme Networks</PRE></DIV> and <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Enterasys Networks</PRE></DIV>.<BR /> <BR /> If within the advisory the hyperlinked <A href="http://www.kb.cert.org/vuls/id/BLUU-9HY332" target="_blank" rel="nofollow noreferrer noopener"></A><PRE><A href="http://www.kb.cert.org/vuls/id/BLUU-9HY332" target="_blank" rel="nofollow noreferrer noopener">Extreme Networks</A></PRE> or <A href="http://www.kb.cert.org/vuls/id/BLUU-9HY32U" target="_blank" rel="nofollow noreferrer noopener"></A><PRE><A href="http://www.kb.cert.org/vuls/id/BLUU-9HY32U" target="_blank" rel="nofollow noreferrer noopener">Enterasys Networks</A></PRE> Information still reads "<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">No statement is currently available from the vendor regarding this vulnerability.</PRE></DIV>", then please refer to <A href="http://learn.extremenetworks.com/rs/extreme/images/CERT_VU%23720951_Vulnerability_Advisory_04_11_2014v2.pdf" target="_blank" rel="nofollow noreferrer noopener">this statement</A> (.pdf, 200 KB) submitted to US-CERT on April 11 2014.<BR /> <BR /> EXOS 15.4.1.3-patch1-10 is available for download via <A href="https://esupport.extremenetworks.com/eservice_enu/start.swe" target="_blank" rel="nofollow noreferrer noopener">eSupport</A>'s "<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Download Software Updates</PRE></DIV>" link.<BR /> The NetSight patch is available for download from the <A href="https://extranet.enterasys.com/downloads/Pages/NMS.aspx" target="_blank" rel="nofollow noreferrer noopener">NMS Product page</A>, or <A href="https://enterasys.box.com/shared/static/04o3hf3aryuym26t0c4m.zip" target="_blank" rel="nofollow noreferrer noopener">here</A> (1.5 MB).<BR /> A set of Dragon signatures was released on April 9, to assist in detecting attempted exploits. Mon, 14 Apr 2014 17:55:00 GMT FAQ_User 2014-04-14T17:55:00Z https://community.extremenetworks.com/t5/faqs/extreme-networks-response-to-us-cert-vulnerability-advisory-vu/m-p/45258#M306 Article ID: 16131 <BR /> <BR /> <B>Products</B><BR /> Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1<BR /> Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1<BR /> 64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0<BR /> 64-bit (Ubuntu) hardware-based and virtual NAC &amp; IA appliances running version 5.0, 5.1, or 6.0<BR /> 64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0<BR /> <BR /> <B>Discussion</B><BR /> On April 7 2014, US-CERT issued advisory <A href="http://www.kb.cert.org/vuls/id/720951" target="_blank" rel="nofollow noreferrer noopener"></A><PRE><A href="http://www.kb.cert.org/vuls/id/720951" target="_blank" rel="nofollow noreferrer noopener">720951</A></PRE>.<BR /> (This issue is also tracked as <A href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160" target="_blank" rel="nofollow noreferrer noopener"></A><PRE><A href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160" target="_blank" rel="nofollow noreferrer noopener">CVE-2014-0160</A></PRE>, and discussed in <A href="http://bit.ly/1t03AZw" target="_blank" rel="nofollow noreferrer noopener">16130</A>.)<BR /> <BR /> The advisory overview...<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."</PRE></DIV><BR /> <BR /> The advisory impact...<BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.</PRE></DIV><BR /> <BR /> The advisory lists a number of affected vendors, including <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Extreme Networks</PRE></DIV> and <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Enterasys Networks</PRE></DIV>.<BR /> <BR /> If within the advisory the hyperlinked <A href="http://www.kb.cert.org/vuls/id/BLUU-9HY332" target="_blank" rel="nofollow noreferrer noopener"></A><PRE><A href="http://www.kb.cert.org/vuls/id/BLUU-9HY332" target="_blank" rel="nofollow noreferrer noopener">Extreme Networks</A></PRE> or <A href="http://www.kb.cert.org/vuls/id/BLUU-9HY32U" target="_blank" rel="nofollow noreferrer noopener"></A><PRE><A href="http://www.kb.cert.org/vuls/id/BLUU-9HY32U" target="_blank" rel="nofollow noreferrer noopener">Enterasys Networks</A></PRE> Information still reads "<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">No statement is currently available from the vendor regarding this vulnerability.</PRE></DIV>", then please refer to <A href="http://learn.extremenetworks.com/rs/extreme/images/CERT_VU%23720951_Vulnerability_Advisory_04_11_2014v2.pdf" target="_blank" rel="nofollow noreferrer noopener">this statement</A> (.pdf, 200 KB) submitted to US-CERT on April 11 2014.<BR /> <BR /> EXOS 15.4.1.3-patch1-10 is available for download via <A href="https://esupport.extremenetworks.com/eservice_enu/start.swe" target="_blank" rel="nofollow noreferrer noopener">eSupport</A>'s "<DIV class="threadCode"><B>code:</B><PRE spellcheck="false">Download Software Updates</PRE></DIV>" link.<BR /> The NetSight patch is available for download from the <A href="https://extranet.enterasys.com/downloads/Pages/NMS.aspx" target="_blank" rel="nofollow noreferrer noopener">NMS Product page</A>, or <A href="https://enterasys.box.com/shared/static/04o3hf3aryuym26t0c4m.zip" target="_blank" rel="nofollow noreferrer noopener">here</A> (1.5 MB).<BR /> A set of Dragon signatures was released on April 9, to assist in detecting attempted exploits. Mon, 14 Apr 2014 17:55:00 GMT https://community.extremenetworks.com/t5/faqs/extreme-networks-response-to-us-cert-vulnerability-advisory-vu/m-p/45258#M306 FAQ_User 2014-04-14T17:55:00Z