Extreme Networks update on the OpenSSL vulnerability called “Heartbleed"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-12-2014 03:07 AM
Patches will be available for all affected products by Monday (4/14). Reference Extreme Network CERT VU#720951 Vulnerability Advisory note for additional details. http://learn.extremenetworks.com/rs/extreme/images/CERT_VU%23720951_Vulnerability_Advisory_04_11_201...
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-14-2014 05:28 PM
<content-quote data-username="Andy_M"> This reply was created from a merged topic originally titled heartbleed OpenSSL vulnerability. Does anyone have any information on whether or not and which Enterasys or Extreme products are affected by this vulnerability?</content-quote>Hi Andy. We have a comprehensive topic about this including a list of affected products. Please visit this for additional information. If you have additional questions, please ask them here in the community! https://getsatisfaction.com/extreme/topics/extreme_networks_update_on_the_openssl_vulnerability_call...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-14-2014 05:23 PM
This reply was created from a merged topic originally titled Response to "Heartbleed" CVE-2014-0160 OpenSSL vulnerability. Article ID: 16130
Products
The issue affects products which use OpenSSL 1.0.1 (March 2012) through 1.0.1f for SSL/HTTPS support.
OpenSSL 1.0.1g, released April 7 2014, resolves the vulnerability.
Affected:
Vulnerability notification CVE-2014-0160 was released on April 7 2014.
Its Overview states:
The high visibility and potentially high impact of this issue has spawned many follow-up reports which are visible in a web search for "
Patches have been developed to address this vulnerability across all affected products, and these will be included in subsequent GA releases. Patch availability is discussed in 16131, which addresses this issue being tracked as US-CERT Vulnerability Advisory VU#720951.
Products
The issue affects products which use OpenSSL 1.0.1 (March 2012) through 1.0.1f for SSL/HTTPS support.
OpenSSL 1.0.1g, released April 7 2014, resolves the vulnerability.
Affected:
- Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
- Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
- 64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
- 64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
- 64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0
Vulnerability notification CVE-2014-0160 was released on April 7 2014.
Its Overview states:
code:
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
The high visibility and potentially high impact of this issue has spawned many follow-up reports which are visible in a web search for "
code:
" or "heartbleed
code:
".CVE-2014-0160
Patches have been developed to address this vulnerability across all affected products, and these will be included in subsequent GA releases. Patch availability is discussed in 16131, which addresses this issue being tracked as US-CERT Vulnerability Advisory VU#720951.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-14-2014 05:23 PM
KB Article Please reference the new topic here: Response to "Heartbleed" CVE-2014-0160 OpenSSL Vulnerability Article ID 16130
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-14-2014 05:23 PM
This reply was created from a merged topic originally titled Heartbleed OpenSSL Vulnerability in NMS/Oneview or Wireless Controller. Are NMS/Oneview, or the wireless controller at risk of the Heartbleed OpenSSL vulnerability? What revision levels are at risk? Is there a corporate statement of exposure risk and mitigation?
See similar post about XOS.
https://community.extremenetworks.com/extreme/topics/heartbleed_openssl_vulnerability
See similar post about XOS.
https://community.extremenetworks.com/extreme/topics/heartbleed_openssl_vulnerability
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-14-2014 05:22 PM
This reply was created from a merged topic originally titled Extreme Networks Response to US-CERT Vulnerability Advisory VU#720951. Article ID: 16131
Products
Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0
Discussion
On April 7 2014, US-CERT issued advisory
(This issue is also tracked as
The advisory overview...
The advisory impact...
The advisory lists a number of affected vendors, including
If within the advisory the hyperlinked
EXOS 15.4.1.3-patch1-10 is available for download via eSupport's "
The NetSight patch is available for download from the NMS Product page, or here (1.5 MB).
A set of Dragon signatures was released on April 9, to assist in detecting attempted exploits.
Products
Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0
Discussion
On April 7 2014, US-CERT issued advisory
720951.
(This issue is also tracked as
CVE-2014-0160, and discussed in 16130.)
The advisory overview...
code:
OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."
The advisory impact...
code:
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.
The advisory lists a number of affected vendors, including
code:
and Extreme Networks
code:
.Enterasys Networks
If within the advisory the hyperlinked
Extreme Networksor
Enterasys NetworksInformation still reads "
code:
", then please refer to this statement (.pdf, 200 KB) submitted to US-CERT on April 11 2014.No statement is currently available from the vendor regarding this vulnerability.
EXOS 15.4.1.3-patch1-10 is available for download via eSupport's "
code:
" link.Download Software Updates
The NetSight patch is available for download from the NMS Product page, or here (1.5 MB).
A set of Dragon signatures was released on April 9, to assist in detecting attempted exploits.
