This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OpenSSL vunerability Question

OpenSSL vunerability Question

Rien_van_Maurik
New Contributor

‎04-12-2021 07:24 AM

Hello all

In March 2021 the National Vulnerability Database (NVD) published 2 vulnerability's with effects OpenSSL 1.1.1

this is the published information:

Openssl will release new update on 2021/03/25, it will fix two "High" severity issues. These issues does not affect OpenSSL versions before 1.1.1: 
CVE-2021-3449: NULL pointer deref in signature_algorithms processing
CVE-2021-3450: CA certificate check bypass with X509_V_FLAG_X509_STRICT

Both of these two CVE issues will be fixed through OpenSSL 1.1.1k on 2021/03/25, before that:
CVE-2021-3449: All OpenSSL 1.1.1 versions
CVE-2021-3450: OpenSSL 1.1.1h and newer

 

Does Anybody know If Extreme Networks already supports the OpenSSL 1.1.1k?

 

Kind Regards

Rien van Maurik

0 Kudos
2 REPLIES 2

Rien_van_Maurik
New Contributor

‎04-12-2021 09:03 AM

Hello Stefan

Thank you for your quick answer

I'm talking about the next products and firmware releases:
VSP: 8.1.8.0
EXOS: 30.7.1.1
EXOS: 16.2.5.4
Identify: 10.51.17.0006
XMC, ExtremeControl, Analytics: 8.5.5.32
 
Kind regards 
Rien

0 Kudos

Stefan_K_
Valued Contributor

‎04-12-2021 07:51 AM

Hi Rien,

good question. I can only speak for EXOS and XMC/NAC:

  • EXOS (30.7) uses openssl-fips-2.0.16 which is based on openssl 1.0.1 and 1.0.2 - so it’s not affected
  • XMC (8.5.5) uses openssl 1.1.1 - it’s affected

Does Anybody know If Extreme Networks already supports the OpenSSL 1.1.1k?

About which products do you speak?

Best regards
Stefan

0 Kudos
GTM-P2G8KFN