Article ID: 16131
Products
Black Diamond Series X8, 8900, and 8800 running EXOS version 15.4.1
Summit Series X770, X670, X480, X460, X440, X430, E4G-200, and E4G-400 running EXOS version 15.4.1
64-bit (Ubuntu) hardware-based and virtual NetSight appliances running version 4.4, 5.0, 5.1, or 6.0
64-bit (Ubuntu) hardware-based and virtual NAC & IA appliances running version 5.0, 5.1, or 6.0
64-bit (Ubuntu) hardware-based and virtual Purview appliances running version 6.0
Discussion
On April 7 2014, US-CERT issued advisory
720951
.
(This issue is also tracked as
CVE-2014-0160
, and discussed in
16130.)
The advisory overview...
code:OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."
The advisory impact...
code:By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.
The advisory lists a number of affected vendors, including
and
.
If within the advisory the hyperlinked
Extreme Networks
or
Enterasys Networks
Information still reads "
code:No statement is currently available from the vendor regarding this vulnerability.
", then please refer to
this statement (.pdf, 200 KB) submitted to US-CERT on April 11 2014.
EXOS 15.4.1-patch1-10 is available for download via
eSupport's "
code:Download Software Updates
" link.
The NetSight patch is available for download from the
NMS Product page, or
here (1.5 MB).
A set of Dragon signatures was released on April 9, to assist in detecting attempted exploits.
Also see this
Hub community discussion.
