1 2 3 Previous Next 26 Replies Latest reply on Apr 14, 2014 6:40 AM by asabban

    OpenSSL CVE-2014-0160

    sthe

      Hello

       

      Is Mcafee Web Gateway 7.3.2.7 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.

       

      Details

      https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

      http://www.kb.cert.org/vuls/id/720951

      https://www.openssl.org/news/secadv_20140407.txt

      http://heartbleed.com/

       

      Stefan

       

      Message was edited by: sthe on 4/8/14 10:41:49 AM CEST

       

      Message was edited by: sthe on 4/8/14 10:42:27 AM CEST
        • 1. Re: OpenSSL CVE-2014-0160
          asabban

          Hello,

           

          it is possible that MWG is vulnerable, but investigations are currently on-going. There should be an official announcement later. If you need some official information immediately I recommend to file a service request with technical support.

           

          Best,

          Andre

          • 2. Re: OpenSSL CVE-2014-0160
            sthe

            Hello Andre

             

            Thank you for your fast reply. I would appreciate any further details as soon as they are available.

            If MWG is vulnerable there are some more questions to come...

             

            Thanks

             

            Stefan

            • 3. Re: OpenSSL CVE-2014-0160
              asabban

              Hello,

               

              further details are available. Since this is security related we would like to prevent discussing details on a public space. Please file a service request with technical support, they will provide you with the latest available information. I have talked to them and they are awaiting you :-)

               

              Best,

              Andre

              • 4. Re: OpenSSL CVE-2014-0160
                sthe

                Hello Andre

                 

                SR is filed

                 

                I am not going to post details about the answer I get. I keep it confidential.

                 

                Can you update the post when official information is available?

                I think other people are also interested.

                 

                Best

                 

                Stefan

                • 5. Re: OpenSSL CVE-2014-0160
                  asabban

                  Thank you,

                   

                  I talked to the support manager and there will be an official response in form of a SNS (support notification service). I encourage every customer to subscribe, as important official information is provided through this channel. You can find more details on

                   

                  https://kc.mcafee.com/corporate/index?page=content&id=KB67828

                   

                  Please look out for the SNS which will contain all necessary information. I am not allowed to give any kind of official response, so please follow the notification. In case questions remain I still recommend to file an SR with support to have some official response and updates.

                   

                  Besides that certainly I am happy to help :-)

                   

                  Best,

                  Andre

                  1 of 1 people found this helpful
                  • 6. Re: OpenSSL CVE-2014-0160
                    jbmartin6

                    We're still waiting for an SNS. How hard is it to test the products and let customers know which components are vulnerable so they can make appropriate risk decisions? By all means, let all your customers test individually, customer's time has no value right?

                    • 7. Re: OpenSSL CVE-2014-0160
                      pwn3r

                      I had to create an account just to throw this out there. This product IS vulnerable. I have tested with a copy of a tool internally and externally against this product. It IS vulnerable and it took me less than 10 minutes to prove that. Let's get some action here McAfee... some of us have certs that we would rather not have to re-issue, and replace on hundreds or thousands of devices.

                      • 8. Re: OpenSSL CVE-2014-0160
                        jbmartin6

                        What aspect of MWG is vulnerable? I ran exploit against the management console and it wasn't vulnerable. Do you mean the proxy's SSL interception function is vulnerable?

                        • 9. Re: OpenSSL CVE-2014-0160
                          Travler

                          sthe wrote:

                           

                          Is Mcafee Web Gateway 7.3.2.7 vulnerable? As I see it uses OpenSSL 1.0.1e which is vulnerable.


                          How did you determine this?  I'd like to check my version but don't know where to go to see this information.

                           

                          Thanks!

                          1 2 3 Previous Next