cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Namster
Level 10
Report Inappropriate Content
Message 11 of 66
‎04-09-2014 10:52 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

I'm using 5.1.0 and ssl is within the list of affected versions. To be safe, I thought it would be best for me to stand down my public facing servers until McAfee releases an update to their announcement. No harm for me to do this for the time being.

0 Kudos
Reply
jickfoo
Level 11
Report Inappropriate Content
Message 12 of 66
‎04-09-2014 12:15 PM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

We've fixed this issue on other machines by taking the libeay32.dll, openssl.exe, and ssleay32 from the OpenSSL 1.01g package and copying them over the older files. I tried this on the EPO Agent machine but after I did that the service wont start. Perhaps something with the signature.

0 Kudos
Reply
twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 13 of 66
‎04-09-2014 10:50 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

McAfee sent us a SNS noticed regarding the OpenSSL issue (HeartBleed).

McAfee is aware of the Heartbleed Vulnerability (CVE-2014-0160).This is a vulnerability in OpenSSL that could allow an attacker to gain accessto system memory (in 64K chunks) which potentially could contain sensitive informationor communications.

McAfee is investigating affected products and will be provide additional information via SNS today.

We will just have to wait to see what is the way to fix this issue.

0 Kudos
Reply
roebbu
Level 9
Report Inappropriate Content
Message 14 of 66
‎04-10-2014 12:13 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution 
A consolidated Security Bulletin will be published on the McAfee Knowledge Center (support.mcafee.com) and list all affected products.

.. and 11 hours after the SNS message there's still no complete list of affected products available? Srsly?

Message was edited by: roebbu on 4/10/14 11:45:40 AM CEST
0 Kudos
Reply
midnightdevil
Level 9
Report Inappropriate Content
Message 15 of 66
‎04-10-2014 03:21 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Do we all have to open tickets so they check their customer cases one by one or they are going for a public announcement fix for ePO versions?

0 Kudos
Reply
pierce
Level 13
Report Inappropriate Content
Message 16 of 66
‎04-10-2014 03:27 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

I opened a case to get the info and still waiting on a response to confirm my findings. I believe they will release an SNS notification, but seems like they are a bit slow to get this out.

Would be good if they just released an SNS with all the products and versions and if then fill in the status once they know if its safe or unsafe etc...

0 Kudos
Reply
djjava9
Level 11
Report Inappropriate Content
Message 17 of 66
‎04-10-2014 05:01 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

This will be the official kb https://kc.mcafee.com/corporate/index?page=content&id=SB10071 where we will update all affected products and of course via sns as well. http://mcaf.ee/2zon0

0 Kudos
Reply
Stanw
Level 7
Report Inappropriate Content
Message 18 of 66
‎04-10-2014 07:51 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

ePO is still not on the offical list yet.

0 Kudos
Reply
RRMX
Level 7
Report Inappropriate Content
Message 19 of 66
‎04-10-2014 05:50 PM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

FYI for those still running EPO 4.5 - This is totally unofficial so try at your own risk. User jickfoo mentioned above that it did not work for him/her. We still have EPO 4.5 that we cannot upgrade currently for various reasons and it is EOL.

I was able to manually drop OpenSSL 1.0.1g binaries on one of our test EPO 4.5.7 servers and it seems to work. Go to the OpenSSL site, click on Related, and there is a link to find Windows binaries. You just need openssl.exe, ssleay32.dll and libeay32.dll. The existing location is in the McAfee\ePolicy Orchestrator\Apache2\bin directory. Stop the EPO services, rename the existing files to .OLD, drop the new ones on there and restart services. Works for me.

If it doesn't work for you, simply stop services, delete new binaries, rename old ones back properly, and restart services again.

Message was edited by: RRMX on 4/10/14 5:52:04 PM PDT
Reply
tcox8
Level 10
Report Inappropriate Content
Message 20 of 66
‎04-11-2014 06:02 AM

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

I can confirm that RRMX's (from jickfoo) solution worked for us. We are running ePO 4.6.5.

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC