All,
McAfee will not discuss this matter in this forum.
Please subscribed to SNS: https://sns.snssecure.mcafee.com/content/signup_login as all cummunication will happen over that channel or contact your Platinum Support Account Manager.
In addition monitor this security bulleting in our Knowledge Center: https://kc.mcafee.com/corporate/index?page=content&id=SB10071 and the KC in general for announcements.
thanks,
Michael
Message was edited by: michael_schneider on 10/04/2014 19:38:34 CESTMcAfee apparently will not discuss this matter in any way, let alone in this forum. There's been NO communication regarding ePO or MWG via SNS, or apparently to anyone who opened a support case. A disappointing response from a security company to say the least.
sthe wrote:
Is Mcafee Web Gateway 7.3.2.7 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.
How did you determine this? I'd like to check my version but don't know where to go to see this information.
Thanks!
You can check your OpenSSL version on Linux Shell
Use putty or something similar - ssh to the box and login as root
Command:
yum list openssl
The important output:
Installed Packages
openssl.i686 1.0.1e-8.mlos2 installed
openssl.x86_64 1.0.1e-8.mlos2 installed
sthe wrote:
You can check your OpenSSL version on Linux Shell
Use putty or something similar - ssh to the box and login as root
Command:
yum list openssl
The important output:
Installed Packages
openssl.i686 1.0.1e-8.mlos2 installed
openssl.x86_64 1.0.1e-8.mlos2 installed
Thanks, Stefan -
That did the trick.
Of course, you can guess that the result was not good news though.
Stefan Heuberger wrote:
You can check your OpenSSL version on Linux Shell
Use putty or something similar - ssh to the box and login as root
Command:
yum list openssl
The important output:
Installed Packages
openssl.i686 1.0.1e-8.mlos2 installed
openssl.x86_64 1.0.1e-8.mlos2 installed
MWG 7.3.2.8 still uses OpenSSL 1.0.1e - Full version: 1.0.1e-10.mlos2
Maybe it is just a recompile with flag set -DOPENSSL_NO_HEARTBEATS
Hello,
rpm -qa openssl on command-line will give you the full version information.
Unpatched:
openssl.i686 1.0.1e-8.mlos2
openssl.x86_64 1.0.1e-8.mlos2
Patched:
openssl.i686 1.0.1e-10.mlos2
openssl.x86_64 1.0.1e-10.mlos2
lf you see "10" you are running a patched version.
Best,
Andre
Hello Andre
Thank you for clarification
yum and rpm both output full version numbers, but yum also lists available packages.
In my opinion your solution rpm -qa openssl is preferable as in this case only really important information is shown.
And again I see that still a lot of essential Linux knowledge is missing...
Hello,
no worries! Whatever you are missing, we like to help 🙂
Maybe just as another note in regards to the version numbers:
Many announcement and press releases point out a statement like "all OpenSSL versions < 1.0.1g are affected". So with the fix we made you still see "e" rather than "g" as the version number, which may look strange. The reason is rather simple. If we switch from "e" to "g" this would mean we implement the fix, but also all additional changes and feature modifications which happened between "e" and "g". This would have required extensive testing since noone can exactly tell what other impacts the new new and changed features in the "g" version might have.
Instead the "e" version got a security fix, which solves the heartbleed issue.
Best,
Andre
Actually the situation is absolutely disappointing.
The SR I submitted on 2014-04-08 around 12:00 UTC is still unanswered. The only information I got about 45 minutes later:
"Regarding the CVE-2014-0160 / SSL vulnerability our engineering team is currently checking the issue and we will revert back as soon as possible."
And today a status update: Escalated
That's all
Message was edited by: sthe / bad formatting and spelling corrected on 4/10/14 6:30:43 PM CEST
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA