Unfortunately bouncing the box didn't resolve the issue. I agree with your statement on the risk. The potential data loss her is minimal and was looking for aquick fix in waiting for McAfee to deliver an approved solution.
Interesting that you got those results. We replaced the .exe and dll on a few of our ePO boxes as a test, then rebooted them and rescanned with updated Nexpose (they updated the signatures for this again today) and scan clean for CVE-2014-0160. After seeing your post I also checked our public ones against http://filippo.io/Heartbleed/ and it also reports them as clean.
After doing the file replacement as mentioned before, our security team scanned the server and it came back clean. Note: you must use the 32 bit version of 1.0.1g not the 64 bit version. When I tried at first with 64 bit it did not work. Had to use the 32 bit binaries.
Excellent point tcox8, thanks for mentioning that. I used the 32bit versions as well.
Running ePO 4.6.7 and confirmed OpenSSL version as 1.0.1e which is affected, but not listed on the latest SNS. I'm a bit perplexed as well.
Unlikely to get a 'official' confirmation of the impacted status until a patch is ready. Nature of the beast
Recommend contextual risk assessment and action appropriate to your envrionment.
Still nothing ? Well no big deal. Not like they are a security company or anything. Oh wait..
Hotfixes for ePO versions are now available: please see the updated bulletin at SB10071 for details.
Regards -
Joe
Hey everyone, I'll try to simplify the steps for you all:
The only problem with the provided HF (thank you by the way); only problem so far is that it will not install n FIPS enabled servers. Log file indicates FIPS is not compatible.
Any suggestions?
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA