cancel
Showing results for 
Search instead for 
Did you mean: 
McAfee Employee MSchneider
McAfee Employee
Report Inappropriate Content
Message 11 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

All,

McAfee will not discuss this matter in this forum.

Please subscribed to SNS: https://sns.snssecure.mcafee.com/content/signup_login as all cummunication will happen over that channel or contact your Platinum Support Account Manager.

In addition monitor this security bulleting in our Knowledge Center: https://kc.mcafee.com/corporate/index?page=content&id=SB10071 and the KC in general for announcements.

thanks,

Michael

Message was edited by: michael_schneider on 10/04/2014 19:38:34 CEST
Michael Schneider
Lead Product Manager for Web Protection
(•‿•)

Re: OpenSSL CVE-2014-0160

Jump to solution

McAfee apparently will not discuss this matter in any way, let alone in this forum. There's been NO communication regarding ePO or MWG via SNS, or apparently to anyone who opened a support case. A disappointing response from a security company to say the least. 

Travler
Level 10
Report Inappropriate Content
Message 13 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

sthe wrote:

Is Mcafee Web Gateway 7.3.2.7 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.


How did you determine this?  I'd like to check my version but don't know where to go to see this information.

Thanks!

sthe
Level 9
Report Inappropriate Content
Message 14 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

You can check your OpenSSL version on Linux Shell

Use putty or something similar - ssh to the box and login as root

Command:

yum list openssl

The important output:

Installed Packages

openssl.i686                         1.0.1e-8.mlos2               installed

openssl.x86_64                   1.0.1e-8.mlos2               installed

Travler
Level 10
Report Inappropriate Content
Message 15 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

sthe wrote:

You can check your OpenSSL version on Linux Shell

Use putty or something similar - ssh to the box and login as root

Command:

yum list openssl

The important output:

Installed Packages

openssl.i686                         1.0.1e-8.mlos2               installed

openssl.x86_64                   1.0.1e-8.mlos2               installed

Thanks, Stefan -

That did the trick.

Of course, you can guess that the result was not good news though.

sthe
Level 9
Report Inappropriate Content
Message 16 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Stefan Heuberger wrote:

You can check your OpenSSL version on Linux Shell

Use putty or something similar - ssh to the box and login as root

Command:

yum list openssl

The important output:

Installed Packages

openssl.i686                         1.0.1e-8.mlos2               installed

openssl.x86_64                   1.0.1e-8.mlos2               installed

MWG 7.3.2.8 still uses OpenSSL 1.0.1e - Full version: 1.0.1e-10.mlos2

Maybe it is just a recompile with flag set -DOPENSSL_NO_HEARTBEATS

Highlighted
Reliable Contributor asabban
Reliable Contributor
Report Inappropriate Content
Message 17 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello,

rpm -qa openssl on command-line will give you the full version information.

Unpatched:

openssl.i686                  1.0.1e-8.mlos2        

openssl.x86_64                1.0.1e-8.mlos2       

Patched:

openssl.i686                  1.0.1e-10.mlos2      

openssl.x86_64                1.0.1e-10.mlos2   

lf you see "10" you are running a patched version.

Best,

Andre

sthe
Level 9
Report Inappropriate Content
Message 18 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello Andre

Thank you for clarification

yum and rpm both output full version numbers, but yum also lists available packages.

In my opinion your solution rpm -qa openssl is preferable as in this case only really important information is shown.

And again I see that still a lot of essential Linux knowledge is missing...

Reliable Contributor asabban
Reliable Contributor
Report Inappropriate Content
Message 19 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello,

no worries! Whatever you are missing, we like to help 🙂

Maybe just as another note in regards to the version numbers:

Many announcement and press releases point out a statement like "all OpenSSL versions < 1.0.1g are affected". So with the fix we made you still see "e" rather than "g" as the version number, which may look strange. The reason is rather simple. If we switch from "e" to "g" this would mean we implement the fix, but also all additional changes and feature modifications which happened between "e" and "g". This would have required extensive testing since noone can exactly tell what other impacts the new new and changed features in the "g" version might have.

Instead the  "e" version got a security fix, which solves the heartbleed issue.

Best,

Andre

sthe
Level 9
Report Inappropriate Content
Message 20 of 27

Re: OpenSSL CVE-2014-0160

Jump to solution

Actually the situation is absolutely disappointing.

The SR I submitted on 2014-04-08 around 12:00 UTC is still unanswered. The only information I got about 45 minutes later:

"Regarding the CVE-2014-0160 / SSL vulnerability our engineering team is currently checking the issue and we will revert back as soon as possible."

And today a status update: Escalated

That's all

Message was edited by: sthe / bad formatting and spelling corrected on 4/10/14 6:30:43 PM CEST
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community