cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
MSchneider
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 11 of 27
‎04-10-2014 10:20 AM

Re: OpenSSL CVE-2014-0160

Jump to solution

All,

McAfee will not discuss this matter in this forum.

Please subscribed to SNS: https://sns.snssecure.mcafee.com/content/signup_login as all cummunication will happen over that channel or contact your Platinum Support Account Manager.

In addition monitor this security bulleting in our Knowledge Center: https://kc.mcafee.com/corporate/index?page=content&id=SB10071 and the KC in general for announcements.

thanks,

Michael

Message was edited by: michael_schneider on 10/04/2014 19:38:34 CEST
Michael Schneider
Senior Manager of PM
for Web Protection and UCE
(•‿•)
0 Kudos
Reply
jbmartin6
Level 9
Report Inappropriate Content
Message 12 of 27
‎04-10-2014 11:53 AM

Re: OpenSSL CVE-2014-0160

Jump to solution

McAfee apparently will not discuss this matter in any way, let alone in this forum. There's been NO communication regarding ePO or MWG via SNS, or apparently to anyone who opened a support case. A disappointing response from a security company to say the least. 

0 Kudos
Reply
Travler
Level 10
Report Inappropriate Content
Message 13 of 27
‎04-10-2014 08:30 AM

Re: OpenSSL CVE-2014-0160

Jump to solution 
sthe wrote:
Is Mcafee Web Gateway 7.3.2.7 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.


How did you determine this?  I'd like to check my version but don't know where to go to see this information.

Thanks!

0 Kudos
Reply
sthe
Level 9
Report Inappropriate Content
Message 14 of 27
‎04-10-2014 09:19 AM

Re: OpenSSL CVE-2014-0160

Jump to solution

You can check your OpenSSL version on Linux Shell

Use putty or something similar - ssh to the box and login as root

Command:

yum list openssl

The important output:

Installed Packages

openssl.i686                         1.0.1e-8.mlos2               installed

openssl.x86_64                   1.0.1e-8.mlos2               installed

0 Kudos
Reply
Travler
Level 10
Report Inappropriate Content
Message 15 of 27
‎04-10-2014 11:12 AM

Re: OpenSSL CVE-2014-0160

Jump to solution 
sthe wrote:
You can check your OpenSSL version on Linux Shell
Use putty or something similar - ssh to the box and login as root
Command:
yum list openssl
The important output:
Installed Packages
openssl.i686                         1.0.1e-8.mlos2               installed
openssl.x86_64                   1.0.1e-8.mlos2               installed

Thanks, Stefan -

That did the trick.

Of course, you can guess that the result was not good news though.

0 Kudos
Reply
sthe
Level 9
Report Inappropriate Content
Message 16 of 27
‎04-10-2014 11:55 PM

Re: OpenSSL CVE-2014-0160

Jump to solution 
Stefan Heuberger wrote:
You can check your OpenSSL version on Linux Shell
Use putty or something similar - ssh to the box and login as root
Command:
yum list openssl
The important output:
Installed Packages
openssl.i686                         1.0.1e-8.mlos2               installed
openssl.x86_64                   1.0.1e-8.mlos2               installed

MWG 7.3.2.8 still uses OpenSSL 1.0.1e - Full version: 1.0.1e-10.mlos2

Maybe it is just a recompile with flag set -DOPENSSL_NO_HEARTBEATS

0 Kudos
Reply
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 17 of 27
‎04-11-2014 12:46 AM

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello,

rpm -qa openssl on command-line will give you the full version information.

Unpatched:

openssl.i686                  1.0.1e-8.mlos2        

openssl.x86_64                1.0.1e-8.mlos2       

Patched:

openssl.i686                  1.0.1e-10.mlos2      

openssl.x86_64                1.0.1e-10.mlos2   

lf you see "10" you are running a patched version.

Best,

Andre

Reply
sthe
Level 9
Report Inappropriate Content
Message 18 of 27
‎04-11-2014 01:35 AM

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello Andre

Thank you for clarification

yum and rpm both output full version numbers, but yum also lists available packages.

In my opinion your solution rpm -qa openssl is preferable as in this case only really important information is shown.

And again I see that still a lot of essential Linux knowledge is missing...

0 Kudos
Reply
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 19 of 27
‎04-11-2014 01:53 AM

Re: OpenSSL CVE-2014-0160

Jump to solution

Hello,

no worries! Whatever you are missing, we like to help 🙂

Maybe just as another note in regards to the version numbers:

Many announcement and press releases point out a statement like "all OpenSSL versions < 1.0.1g are affected". So with the fix we made you still see "e" rather than "g" as the version number, which may look strange. The reason is rather simple. If we switch from "e" to "g" this would mean we implement the fix, but also all additional changes and feature modifications which happened between "e" and "g". This would have required extensive testing since noone can exactly tell what other impacts the new new and changed features in the "g" version might have.

Instead the  "e" version got a security fix, which solves the heartbleed issue.

Best,

Andre

Reply
sthe
Level 9
Report Inappropriate Content
Message 20 of 27
‎04-10-2014 09:27 AM

Re: OpenSSL CVE-2014-0160

Jump to solution

Actually the situation is absolutely disappointing.

The SR I submitted on 2014-04-08 around 12:00 UTC is still unanswered. The only information I got about 45 minutes later:

"Regarding the CVE-2014-0160 / SSL vulnerability our engineering team is currently checking the issue and we will revert back as soon as possible."

And today a status update: Escalated

That's all

Message was edited by: sthe / bad formatting and spelling corrected on 4/10/14 6:30:43 PM CEST
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC