https://community.extremenetworks.com/t5/security/openssl-vunerability-question/m-p/84479#M162 <P>Hi Rien,</P><P>good question. I can only speak for EXOS and XMC/NAC:</P><UL><LI>EXOS (30.7) uses openssl-fips-2.0.16 which is based on openssl 1.0.1 and 1.0.2 - so it’s not affected</LI> <LI>XMC (8.5.5) uses openssl 1.1.1 - it’s affected</LI></UL><BLOCKQUOTE><P>Does Anybody know If Extreme Networks already supports the OpenSSL 1.1.1k?</P></BLOCKQUOTE><P>About which products do you speak?</P><P>Best regards<BR />Stefan</P> Mon, 12 Apr 2021 14:51:38 GMT Stefan_K_ 2021-04-12T14:51:38Z https://community.extremenetworks.com/t5/security/openssl-vunerability-question/m-p/84478#M161 <P>Hello all<BR /><BR />In March 2021 the&nbsp;<A href="https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3449" target="_blank" rel="nofollow noreferrer noopener">National Vulnerability Database (NVD)</A>&nbsp;published 2 vulnerability's with effects OpenSSL 1.1.1<BR /><BR />this is&nbsp;the published information:</P><P><EM>Openssl will release new update on 2021/03/25, it will fix two "High" severity issues. These issues does not affect OpenSSL versions before 1.1.1:&nbsp;<BR />CVE-2021-3449: NULL pointer deref in signature_algorithms processing<BR />CVE-2021-3450: CA certificate check bypass with X509_V_FLAG_X509_STRICT</EM></P><P><EM>Both of these two CVE issues will be fixed through OpenSSL&nbsp;1.1.1k on 2021/03/25, before that:<BR />CVE-2021-3449: All OpenSSL 1.1.1 versions<BR />CVE-2021-3450: OpenSSL 1.1.1h and newer</EM></P><P>&nbsp;</P><P>Does Anybody know If Extreme Networks already supports the OpenSSL 1.1.1k?</P><P>&nbsp;</P><P>Kind Regards</P><P>Rien van Maurik</P> Mon, 12 Apr 2021 14:24:52 GMT https://community.extremenetworks.com/t5/security/openssl-vunerability-question/m-p/84478#M161 Rien_van_Maurik 2021-04-12T14:24:52Z https://community.extremenetworks.com/t5/security/openssl-vunerability-question/m-p/84479#M162 <P>Hi Rien,</P><P>good question. I can only speak for EXOS and XMC/NAC:</P><UL><LI>EXOS (30.7) uses openssl-fips-2.0.16 which is based on openssl 1.0.1 and 1.0.2 - so it’s not affected</LI> <LI>XMC (8.5.5) uses openssl 1.1.1 - it’s affected</LI></UL><BLOCKQUOTE><P>Does Anybody know If Extreme Networks already supports the OpenSSL 1.1.1k?</P></BLOCKQUOTE><P>About which products do you speak?</P><P>Best regards<BR />Stefan</P> Mon, 12 Apr 2021 14:51:38 GMT https://community.extremenetworks.com/t5/security/openssl-vunerability-question/m-p/84479#M162 Stefan_K_ 2021-04-12T14:51:38Z https://community.extremenetworks.com/t5/security/openssl-vunerability-question/m-p/84480#M163 <P>Hello Stefan</P><P>Thank you for your quick answer<BR /><BR />I'm talking about the next products and firmware releases:<BR />VSP: 8.1.8.0<BR />EXOS: 30.7.1.1<BR />EXOS: 16.2.5.4<BR />Identify: 10.51.17.0006<BR />XMC, ExtremeControl, Analytics: 8.5.5.32<BR />&nbsp;<BR />Kind regards&nbsp;<BR />Rien</P> Mon, 12 Apr 2021 16:03:34 GMT https://community.extremenetworks.com/t5/security/openssl-vunerability-question/m-p/84480#M163 Rien_van_Maurik 2021-04-12T16:03:34Z