2 Replies Latest reply on Aug 13, 2014 1:37 PM by klara

    Email Gateway Vulnerabilities

    klara

      Hi everyone,

       

       

      We just did a vulenrability scanning to the Email Gateway and we find a lot of vulnerabilities. Do you guys know how is the process to resolved those vulnerabilities?

       

      Do you know any documentation about it?

       

       

      these are some of the most critical vulnerabilities,

       

      • CRIME SSL/TLS attack
      • CRLF injection/HTTP response splitting
      • The Heartbleed Bug

       

      Thanks a lot for the informatition,

       

       

       

      Atte,

       

      Keila Lara

        • 1. Re: Email Gateway Vulnerabilities
          eplossl

          If you believe that there are vulnerabilities in the MEG appliance, the first thing to do is to check the CVE numbers for the vulnerabilities in question against our Knowledge Base.  When we become aware of CVEs people have found when testing our products, we investigate the vulnerability reports and advise as to whether or not we are vulnerable.  In some cases, we find that we are vulnerable and thus fix the issue.  For all CVEs for which you don't find a KB, I recommend calling in to Support and opening a ticket.  When you do that, provide the results of your test, including relevant CVE numbers, to the Support representative.  They can then get the ticket escalated to the SEO (Support Engineering Operations) team so that we can get the issues looked into by Development.  In many cases, we find that the scanning tools indicate vulnerabilities based only upon the presence of features, without taking into account versions of libraries in effect, and thus although it shows a vulnerability, there really isn't one. That said, we want to investigate each potential vulnerability so that we can resolve those issues.

          • 2. Re: Email Gateway Vulnerabilities
            klara

            I just found the heartbleed vulnerability, but nothing else..

             

            thanks a lot for yous response