It’s been all over the news this week:
Heartbleed OpenSSL bug
OpenSSL versions 1.0.1 through 1.0.1f as well as 1.0.2-beta1 are indicated to be vulnerable to Heartbeat Vulnerability.
Due to a missing bounds check in OpenSSL during the TLS heartbeat extension, a maximum of 64 KiB of memory can be revealed to a connected client or server. This may potentially allow an unauthenticated, remote attacker to gain access to sensitive information such as private keys, login passwords, and encryption keys (the so-called Secret Keys). As a result of this disclosure of potentially sensitive information, these Secret Keys could be leveraged to decrypt other sensitive information or conduct so-called man-in-the-middle attacks.
References:
- EMC knowledge base article: bit.ly/1hwgFpW
- Original disclosure: http://heartbleed.com/
- US CERT: http://www.kb.cert.org/vuls/id/720951
- NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160&cid=2
I won’t copy/paste the complete list in this post as the list will be updated over time, but in general I can disclose that (according to EMC) Brocade FOS, Centera, Clariion, Connectrix Manager, Control Center, Data Domain OS, ESRS, Isilon OneFS, , Networker, RecoverPoint, Replication Manager, ViPR, VNVe, VNX1, VNX2, VPLEX, XtremIO are not vulnerable.
You should read the article on bit.ly/1hwgFpW for specific other products as there are a few that might need attention.
Make sure you patch your products if you need to and please change your passwords every now and then (and in this case as soon as possible).
Follow me on social media