Is Mcafee Web Gateway 18.104.22.168 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.
Message was edited by: sthe on 4/8/14 10:41:49 AM CESTMessage was edited by: sthe on 4/8/14 10:42:27 AM CEST
Solved! Go to Solution.
Now this is the definitive answer:
"What to do after upgrading Web Gateway to combat Heartbleed"
Well a lot of work to do...
it is possible that MWG is vulnerable, but investigations are currently on-going. There should be an official announcement later. If you need some official information immediately I recommend to file a service request with technical support.
Thank you for your fast reply. I would appreciate any further details as soon as they are available.
If MWG is vulnerable there are some more questions to come...
further details are available. Since this is security related we would like to prevent discussing details on a public space. Please file a service request with technical support, they will provide you with the latest available information. I have talked to them and they are awaiting you :-)
SR is filed
I am not going to post details about the answer I get. I keep it confidential.
Can you update the post when official information is available?
I think other people are also interested.
I talked to the support manager and there will be an official response in form of a SNS (support notification service). I encourage every customer to subscribe, as important official information is provided through this channel. You can find more details on
Please look out for the SNS which will contain all necessary information. I am not allowed to give any kind of official response, so please follow the notification. In case questions remain I still recommend to file an SR with support to have some official response and updates.
Besides that certainly I am happy to help :-)
We're still waiting for an SNS. How hard is it to test the products and let customers know which components are vulnerable so they can make appropriate risk decisions? By all means, let all your customers test individually, customer's time has no value right?
I had to create an account just to throw this out there. This product IS vulnerable. I have tested with a copy of a tool internally and externally against this product. It IS vulnerable and it took me less than 10 minutes to prove that. Let's get some action here McAfee... some of us have certs that we would rather not have to re-issue, and replace on hundreds or thousands of devices.
What aspect of MWG is vulnerable? I ran exploit against the management console and it wasn't vulnerable. Do you mean the proxy's SSL interception function is vulnerable?