A security issue and multiple vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise an application using the library
You need to log in to the Secunia Community to view the full description of this advisory
If you are not a member of the Secunia community, you can sign up here for free.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Score: 0 Posts: 1 User Since: 21st Aug 2014 System Score: N/A Location: US Last edited on 21st Aug, 2014 19:31
The Snare Server is *not affected* by this vulnerability. All released versions of the Snare Server have used an older version of OpenSSL, with the latest being 0.9.8k-7ubuntu8.15 released in Snare Server v6.3.1. No action needs to be taken if you have a Snare Server within your environment. (This includes legacy versions, such as v5 and below.)
Snare Enterprise Agents/Epilog
Snare Enterprise Agents use OpenSSL as part of the TLS encryption method used for transmitting events securely to the collection server.
The *Unix-based Agents* that use SSL/TLS (Snare Enterprise Agent for Linux and Snare Enterprise Agent for OSX) use the version of OpenSSL installed on the* operating system*, and do not come with their own version of OpenSSL.
Upgrading your operating system OpenSSL to a patched version will ensure these Agents are not affected by this vulnerability. The other Unix-based Agents (Snare Enterprise Agent for Solaris and Snare Enterprise Epilog for Unix) do not use SSL/TLS, and are not affected.
The *Windows-based Agents* (Snare Enterprise Agent for Windows, Snare Enterprise Agent for MSSQL, and Snare Enterprise Epilog for Windows) use their own version of OpenSSH, which is version 1.0.1e in the following SNARE Agent Versions:
- Snare Enterprise Agent for Windows v4.2.2
- Snare Enterprise Agent for MSSQL v1.2.2
- Snare Enterprise Epilog for Windows v1.7.2
All releases of these Agents that contain TLS encryption up to these release versions *are affected* by this vulnerability however the risk is very low due to the way these Agents use SSL/TLS. There is minimal risk as Snare Enterprise Agents donít run an SSL server, use predefined keys, certificates, or passwords for channel negotiations.
These upgrades are available for SNARE Alliance customers with a support agreement..