I'm using 5.1.0 and ssl is within the list of affected versions. To be safe, I thought it would be best for me to stand down my public facing servers until McAfee releases an update to their announcement. No harm for me to do this for the time being.
We've fixed this issue on other machines by taking the libeay32.dll, openssl.exe, and ssleay32 from the OpenSSL 1.01g package and copying them over the older files. I tried this on the EPO Agent machine but after I did that the service wont start. Perhaps something with the signature.
McAfee sent us a SNS noticed regarding the OpenSSL issue (HeartBleed).
McAfee is aware of the Heartbleed Vulnerability (CVE-2014-0160).This is a vulnerability in OpenSSL that could allow an attacker to gain accessto system memory (in 64K chunks) which potentially could contain sensitive informationor communications.
McAfee is investigating affected products and will be provide additional information via SNS today.
We will just have to wait to see what is the way to fix this issue.
A consolidated Security Bulletin will be published on the McAfee Knowledge Center (support.mcafee.com) and list all affected products.
.. and 11 hours after the SNS message there's still no complete list of affected products available? Srsly?
Message was edited by: roebbu on 4/10/14 11:45:40 AM CESTDo we all have to open tickets so they check their customer cases one by one or they are going for a public announcement fix for ePO versions?
I opened a case to get the info and still waiting on a response to confirm my findings. I believe they will release an SNS notification, but seems like they are a bit slow to get this out.
Would be good if they just released an SNS with all the products and versions and if then fill in the status once they know if its safe or unsafe etc...
This will be the official kb https://kc.mcafee.com/corporate/index?page=content&id=SB10071 where we will update all affected products and of course via sns as well. http://mcaf.ee/2zon0
ePO is still not on the offical list yet.
FYI for those still running EPO 4.5 - This is totally unofficial so try at your own risk. User jickfoo mentioned above that it did not work for him/her. We still have EPO 4.5 that we cannot upgrade currently for various reasons and it is EOL.
I was able to manually drop OpenSSL 1.0.1g binaries on one of our test EPO 4.5.7 servers and it seems to work. Go to the OpenSSL site, click on Related, and there is a link to find Windows binaries. You just need openssl.exe, ssleay32.dll and libeay32.dll. The existing location is in the McAfee\ePolicy Orchestrator\Apache2\bin directory. Stop the EPO services, rename the existing files to .OLD, drop the new ones on there and restart services. Works for me.
If it doesn't work for you, simply stop services, delete new binaries, rename old ones back properly, and restart services again.
Message was edited by: RRMX on 4/10/14 5:52:04 PM PDTI can confirm that RRMX's (from jickfoo) solution worked for us. We are running ePO 4.6.5.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA