The version I have running in my lab (18.104.22.168.0) is running openssl version 1.0.1e, which according to that link would be vulnerable. I don't know quite how to test this vulnerability, so I can't confirm anything.
From a Google engineer: "these attacks need man-in-the-middle position against the victim and that non-OpenSSL clients (IE, Firefox, Chrome on Desktop and iOS, Safari etc) aren't affected". From that I would think that it is rather hard to inflict damage upon a client. A server would be easier, but that generally won't be an issue as MWG usually only sits on the client-side. Those with reverse proxies may need to look into this a bit further.
According to McAfee's release notes for MWG 22.214.171.124:
When you have upgraded to version 126.96.36.199 and completed the additional activities, you can
verify that your Web Gateway appliance is protected against the vulnerability. For this
purpose, you need to check the OpenSSL version that is then in use.
1 Log on to the appliance from a local system console or remotely, using SSH.
2 Run the following command:
rpm -q openssl
You should see these two lines as output:
These lines show the OpenSSL version that is used by the MLOS 2 (McAfee Linux
Operating System 2) operating system for Web Gateway.
If the version is openssl-1.0.1e-10.mlos2, as shown here, or later, for example,
openssl-1.0.1e-11.mlos2, your appliance is protected. openssl-1.0.1e-10.mlos2
includes the fix that was implemented to address the vulnerability.
I too wondered what was up when I noticed the OpenSSL library version was the same from 188.8.131.52 to 184.108.40.206 but looking at the upgrade logs clearly show the files were changed.
apellepa was refenceing a CVE that came out today, a man in the middle attack with remote code execution potential. The release notes for 220.127.116.11 are addressing the previous issue, the heartbleed vulerability.
A SNS just went out that McAfee is looking into the matter, with more information to be forthcoming:
McAfee is aware of the June 5, 2014 CERT announcement (CVE-2014-0224) regarding OpenSSL vulnerabilities and subsequent OpenSSL releases for versions 0.9.8, 1.0.0, and 1.0.1 These releases address several security issues.
The security of our customers is paramount at McAfee. Upon learning of possible security issues with OpenSSL, McAfee began its investigation into which products might require the newly-released patched versions of OpenSSL.
McAfee Products Not Using OpenSSL
Under review — we will provide an updated SNS as soon as possible.
McAfee will provide information on any impacted products as soon as that information becomes available. The following independent organizations are providing incident information:
OpenSSL.org — https://www.openssl.org/news/secadv_20140605.txt
Yes just realised that, my bad.
Hopefully they'll be more proactive than with the HB vuln. where they took weeks to confirm products affected...
This is addressed in 18.104.22.168 and 22.214.171.124. Both are available for download now.
Web Gateway 126.96.36.199 build 17592 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25231
Web Gateway 188.8.131.52 build 17593 Release Notes - https://kc.mcafee.com/corporate/index?page=content&id=PD25232
For other McAfee Products check out the general Security Bulletin:
McAfee Security Bulletin – Seven OpenSSL vulnerabilities patched in McAfee products - https://kc.mcafee.com/corporate/index?page=content&id=SB10075