I am confused with this recent vulnerability. I am getting conflicting answers from McAfee. Here is the CVE article. CVE 2014-0160 OpenSSL 1.0.1a - 1.0.1f vulnerability. I was originally told MEG 7.5.1 is vulnerable and fix action is MEG 7.5.3 upgrade. I was also advised that VM's were not affected. Now I am hearing there is not a 7.5.3 and that a Hot Fix will be released instead of a patch to fix this vulnerability. Also now McAfee is unsure about the VMs. Somebody help me out.
Anyone else have MEG 7.x and have a good answer for CVE 2014-0160? McAfee are you going to release an SNS concerning this info anytime soon. I am getting nervous. This is consider a Zero Day vulnerability I believe.
Keep in mind that this CVE has just been released and we are finding this out at the same time. In fact even as I was on web.nvd.nist.gov I had noticed that it was still being updated. The bottom line is that currently all appliances running 7.5.x and .7.6.x including VM's, which are running OpenSSL 1.0.1e-fips, fall within this CVE and are possibly susceptible.
We are currently looking into the issue and will post an update as we obtain information.
still waiting on responses, but personally tested, and MEG 7.5.1, and 7.5.2 are both vulnerable (on VM, and doesnt matter about fips mode).
i have not heard about a 7.5.3 hotfix or patch, so you know more than me at this point.
got a notification via sns saying they were investigating affected products, however, i have not heard anything back about the affected list, let alone plans in the works for workarounds.