cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
sthe
Level 9
Report Inappropriate Content
Message 1 of 27

OpenSSL CVE-2014-0160

Jump to solution

Hello

Is Mcafee Web Gateway 7.3.2.7 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.

Details

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

http://www.kb.cert.org/vuls/id/720951

https://www.openssl.org/news/secadv_20140407.txt

http://heartbleed.com/

Stefan

Message was edited by: sthe on 4/8/14 10:41:49 AM CEST

Message was edited by: sthe on 4/8/14 10:42:27 AM CEST
1 Solution

Accepted Solutions
sthe
Level 9
Report Inappropriate Content
Message 21 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello

Now this is the definitive answer:

Security Bulletin

https://kc.mcafee.com/corporate/index?page=content&id=SB10071

"What to do after upgrading Web Gateway to combat Heartbleed"

https://kc.mcafee.com/corporate/index?page=content&id=KB81669

Well a lot of work to do...

View solution in original post

26 Replies
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello,

it is possible that MWG is vulnerable, but investigations are currently on-going. There should be an official announcement later. If you need some official information immediately I recommend to file a service request with technical support.

Best,

Andre

sthe
Level 9
Report Inappropriate Content
Message 3 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello Andre

Thank you for your fast reply. I would appreciate any further details as soon as they are available.

If MWG is vulnerable there are some more questions to come...

Thanks

Stefan

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello,

further details are available. Since this is security related we would like to prevent discussing details on a public space. Please file a service request with technical support, they will provide you with the latest available information. I have talked to them and they are awaiting you 🙂

Best,

Andre

sthe
Level 9
Report Inappropriate Content
Message 5 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello Andre

SR is filed

I am not going to post details about the answer I get. I keep it confidential.

Can you update the post when official information is available?

I think other people are also interested.

Best

Stefan

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Thank you,

I talked to the support manager and there will be an official response in form of a SNS (support notification service). I encourage every customer to subscribe, as important official information is provided through this channel. You can find more details on

https://kc.mcafee.com/corporate/index?page=content&id=KB67828

Please look out for the SNS which will contain all necessary information. I am not allowed to give any kind of official response, so please follow the notification. In case questions remain I still recommend to file an SR with support to have some official response and updates.

Besides that certainly I am happy to help 🙂

Best,

Andre

jbmartin6
Level 9
Report Inappropriate Content
Message 7 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

We're still waiting for an SNS. How hard is it to test the products and let customers know which components are vulnerable so they can make appropriate risk decisions? By all means, let all your customers test individually, customer's time has no value right?

pwn3r
Level 7
Report Inappropriate Content
Message 8 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

I had to create an account just to throw this out there. This product IS vulnerable. I have tested with a copy of a tool internally and externally against this product. It IS vulnerable and it took me less than 10 minutes to prove that. Let's get some action here McAfee... some of us have certs that we would rather not have to re-issue, and replace on hundreds or thousands of devices.

jbmartin6
Level 9
Report Inappropriate Content
Message 9 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

What aspect of MWG is vulnerable? I ran exploit against the management console and it wasn't vulnerable. Do you mean the proxy's SSL interception function is vulnerable?

dbledge
Level 7
Report Inappropriate Content
Message 10 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

I did the same.  The response I got was "Server returned error, likely not vulnerable"

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community