cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 11 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

I'm using 5.1.0 and ssl is within the list of affected versions. To be safe, I thought it would be best for me to stand down my public facing servers until McAfee releases an update to their announcement. No harm for me to do this for the time being.

Highlighted
Level 11
Report Inappropriate Content
Message 12 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

We've fixed this issue on other machines by taking the libeay32.dll, openssl.exe, and ssleay32 from the OpenSSL 1.01g package and copying them over the older files. I tried this on the EPO Agent machine but after I did that the service wont start. Perhaps something with the signature.

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 13 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

McAfee sent us a SNS noticed regarding the OpenSSL issue (HeartBleed).

McAfee is aware of the Heartbleed Vulnerability (CVE-2014-0160).This is a vulnerability in OpenSSL that could allow an attacker to gain accessto system memory (in 64K chunks) which potentially could contain sensitive informationor communications.

McAfee is investigating affected products and will be provide additional information via SNS today.

We will just have to wait to see what is the way to fix this issue.

Highlighted
Level 9
Report Inappropriate Content
Message 14 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

A consolidated Security Bulletin will be published on the McAfee Knowledge Center (support.mcafee.com) and list all affected products.

.. and 11 hours after the SNS message there's still no complete list of affected products available? Srsly?

Message was edited by: roebbu on 4/10/14 11:45:40 AM CEST
Highlighted

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

Do we all have to open tickets so they check their customer cases one by one or they are going for a public announcement fix for ePO versions?

Highlighted
Level 13
Report Inappropriate Content
Message 16 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

I opened a case to get the info and still waiting on a response to confirm my findings. I believe they will release an SNS notification, but seems like they are a bit slow to get this out.

Would be good if they just released an SNS with all the products and versions and if then fill in the status once they know if its safe or unsafe etc...

Highlighted
Level 11
Report Inappropriate Content
Message 17 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

This will be the official kb https://kc.mcafee.com/corporate/index?page=content&id=SB10071 where we will update all affected products and of course via sns as well. http://mcaf.ee/2zon0

Level 7
Report Inappropriate Content
Message 18 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

ePO is still not on the offical list yet.

Highlighted
Level 7
Report Inappropriate Content
Message 19 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

FYI for those still running EPO 4.5 - This is totally unofficial so try at your own risk. User jickfoo mentioned above that it did not work for him/her. We still have EPO 4.5 that we cannot upgrade currently for various reasons and it is EOL.

I was able to manually drop OpenSSL 1.0.1g binaries on one of our test EPO 4.5.7 servers and it seems to work. Go to the OpenSSL site, click on Related, and there is a link to find Windows binaries. You just need openssl.exe, ssleay32.dll and libeay32.dll. The existing location is in the McAfee\ePolicy Orchestrator\Apache2\bin directory. Stop the EPO services, rename the existing files to .OLD, drop the new ones on there and restart services. Works for me.

If it doesn't work for you, simply stop services, delete new binaries, rename old ones back properly, and restart services again.

Message was edited by: RRMX on 4/10/14 5:52:04 PM PDT
Highlighted
Level 10
Report Inappropriate Content
Message 20 of 66

Re: ePO - OpenSSL versions (CVE-2014-0160)

Jump to solution

I can confirm that RRMX's (from jickfoo) solution worked for us. We are running ePO 4.6.5.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community