cancel
Showing results for 
Search instead for 
Did you mean: 

McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Hi,

I received a notification this morning regarding OpenSSL new eight vulnerabilities. My question ,is how do I:

Check what OpenSSL version is installed.

Will McAfee launch an update for this vulnerabilty ?

I'm a little in the dark regarding this matter, so any help is appreciated.

Thanks in advance.

1 Solution

Accepted Solutions

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Hi midnightdevil 


I have had a response from McAfee containing a published document dated Jan 29th 2015 (McAfee Sustaining Statement SSC1501291)


"CVE-2015-0206 and CVE-2014-3571 do not apply because ePO does not use DTLS functionality. The only item that may be relevant to ePO is: CVE-2014-3569. " and McAfee propose a patch to ePO 4.6.9 and 5.1.2 q1 2015 to cover CVE-2014-3569.


I can give you a more technical response if required. 


So to cover your initial query ePO is not exposed to CVE-2014-3571


Regards

Rich

Volunteer Moderator 

Certified McAfee Product Specialist-ePO




Regards

Rich

10 Replies

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Hi,

You can check which version of OpenSSL your ePO server is using by Checking the Product Version property on the ssleay32.dll file (under the details tab) which can be found in the <ePO Install folder>\Apache2\bin folder

The latest update for ePO 5.0.1 was HF1014944 release Nov 4 2014 which can be downloaded from the Products Download page once you have entered your grant number.

ePolicy Orchestrator Hotfix 1014944 updates OpenSSL to address CVE-2014-3513 and CVE-2014-3567.


I'll try and find out when McAfee intend to release another update to update OpenSSL to version 1.0.1k to address CVE-2014-3571, although ePO 5.1.2 is due soon and may be included in this release.


Regards


Rich

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Thank you, I'll be waiting for a feedback regarding this latest CVE. I hope McAfee will eventually address it.

I'm aware of previous SSL vulnerabilities and they have been patched here. I posted about this last CVE because I received the alert through us-cert.gov and not through McAfee.

Thanks

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Hello, is there any update regarding this CVE? I did another search today but there's still no word or official documentation regarding this vulnerability.

I wonder if it is okay to download the updated version of OpenSSL and replace the file(s) backing up the previous versions (?) It's a production server so I mean to avoid any unnecessary risks and do the things the official way.

Thanks

Highlighted

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Not the answer you are looking for right now but ePO 5.0.1 is now End-Of-Life as of 31/12/2014 and McAfee have confirmed you will need to upgrade to ePO 5.1.1.

I have pointed out that the exposure is still present in version 5.1.1 and I am trying to get an answer regarding ePO 5.1.1.

Regards

Rich

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

I have raised a support ticket with McAfee which has now been escalated to Engineering for investigation.

Rich

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Hi all.

McAfee have requested Vulnerability Scanner results to help diagnose, but OpenVAS has not identified our ePO 5.1.1 server to be exposed to CVE-2014-3571.

Are you able to run a scanner against your ePO server to test?

Regards

Rich

Volunteer Moderator

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Hi,


I have heard back from McAfee support today, they have escallated to Tier III to get some confirmation regarding exposure. 


Regards

Rich

Volunteer Moderator 

Certified McAfee Product Specialist - ePO

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Hi midnightdevil 


I have had a response from McAfee containing a published document dated Jan 29th 2015 (McAfee Sustaining Statement SSC1501291)


"CVE-2015-0206 and CVE-2014-3571 do not apply because ePO does not use DTLS functionality. The only item that may be relevant to ePO is: CVE-2014-3569. " and McAfee propose a patch to ePO 4.6.9 and 5.1.2 q1 2015 to cover CVE-2014-3569.


I can give you a more technical response if required. 


So to cover your initial query ePO is not exposed to CVE-2014-3571


Regards

Rich

Volunteer Moderator 

Certified McAfee Product Specialist-ePO




Regards

Rich

Re: McAfee ePO 5.0.1 and CVE-2014-3571 (OpenSSL)

Jump to solution

Thank you fellas, thanks everyone who helped. This issue can be closed now. THanks to you all!

MD

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community