Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Moderately critical

OpenSSL Multiple Vulnerabilities

-

Release Date:  2014-06-05    Last Update:  2014-07-28    Views:  3,863

Secunia Advisory SA58403

Where:

You need to log in to view this

Impact:

You need to log in to view this

Solution Status:

You need to log in to view this

Software:

You need to log in to view this

CVE Reference(s):

You need to log in to view this

Description


A security issue and multiple vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise an application using the library


You need to log in to the Secunia Community to view the full description of this advisory

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: OpenSSL Multiple Vulnerabilities

User Message
mrieger7 RE: OpenSSL Multiple Vulnerabilities
New Member 21st Aug, 2014 19:31
Score: 0
Posts: 1
User Since: 21st Aug 2014
System Score: N/A
Location: US
Last edited on 21st Aug, 2014 19:31
The Snare Server is *not affected* by this vulnerability. All released versions of the Snare Server have used an older version of OpenSSL, with the latest being 0.9.8k-7ubuntu8.15 released in Snare Server v6.3.1. No action needs to be taken if you have a Snare Server within your environment. (This includes legacy versions, such as v5 and below.)

Snare Enterprise Agents/Epilog

Snare Enterprise Agents use OpenSSL as part of the TLS encryption method used for transmitting events securely to the collection server.

The *Unix-based Agents* that use SSL/TLS (Snare Enterprise Agent for Linux and Snare Enterprise Agent for OSX) use the version of OpenSSL installed on the* operating system*, and do not come with their own version of OpenSSL.

Upgrading your operating system OpenSSL to a patched version will ensure these Agents are not affected by this vulnerability. The other Unix-based Agents (Snare Enterprise Agent for Solaris and Snare Enterprise Epilog for Unix) do not use SSL/TLS, and are not affected.

The *Windows-based Agents* (Snare Enterprise Agent for Windows, Snare Enterprise Agent for MSSQL, and Snare Enterprise Epilog for Windows) use their own version of OpenSSH, which is version 1.0.1e in the following SNARE Agent Versions:

- Snare Enterprise Agent for Windows v4.2.2

- Snare Enterprise Agent for MSSQL v1.2.2

- Snare Enterprise Epilog for Windows v1.7.2

All releases of these Agents that contain TLS encryption up to these release versions *are affected* by this vulnerability however the risk is very low due to the way these Agents use SSL/TLS. There is minimal risk as Snare Enterprise Agents donít run an SSL server, use predefined keys, certificates, or passwords for channel negotiations.

These upgrades are available for SNARE Alliance customers with a support agreement..

- Snare Enterprise Agent for Windows v4.2.3

- Snare Enterprise Agent for MSSQL v1.2.3

- Snare Enterprise Epilog for Windows v1.7.3

For technical support go to: https://www.snarealliance.com/snare-technical-supp...
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability