Moderately critical

OpenSSL Multiple Vulnerabilities

-

Release Date:  2014-06-05    Last Update:  2015-03-19    Views:  4,605

Secunia Advisory SA58403

Where:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Impact:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Solution Status:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Software:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

CVE Reference(s):

Log in with your Secunia community profile. If you are an IT security professional, request a trial of the Secunia VIM.

Description


A security issue and multiple vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise an application using the library


Log in with your Secunia community profile to view the full description of this Advisory. If you are an IT security professional, request a trial of the Secunia VIM.

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: OpenSSL Multiple Vulnerabilities

User Message
mrieger7 RE: OpenSSL Multiple Vulnerabilities
Member 21st Aug, 2014 19:31
Score: 0
Posts: 1
User Since: 21st Aug 2014
System Score: N/A
Location: US
Last edited on 21st Aug, 2014 19:31
The Snare Server is *not affected* by this vulnerability. All released versions of the Snare Server have used an older version of OpenSSL, with the latest being 0.9.8k-7ubuntu8.15 released in Snare Server v6.3.1. No action needs to be taken if you have a Snare Server within your environment. (This includes legacy versions, such as v5 and below.)

Snare Enterprise Agents/Epilog

Snare Enterprise Agents use OpenSSL as part of the TLS encryption method used for transmitting events securely to the collection server.

The *Unix-based Agents* that use SSL/TLS (Snare Enterprise Agent for Linux and Snare Enterprise Agent for OSX) use the version of OpenSSL installed on the* operating system*, and do not come with their own version of OpenSSL.

Upgrading your operating system OpenSSL to a patched version will ensure these Agents are not affected by this vulnerability. The other Unix-based Agents (Snare Enterprise Agent for Solaris and Snare Enterprise Epilog for Unix) do not use SSL/TLS, and are not affected.

The *Windows-based Agents* (Snare Enterprise Agent for Windows, Snare Enterprise Agent for MSSQL, and Snare Enterprise Epilog for Windows) use their own version of OpenSSH, which is version 1.0.1e in the following SNARE Agent Versions:

- Snare Enterprise Agent for Windows v4.2.2

- Snare Enterprise Agent for MSSQL v1.2.2

- Snare Enterprise Epilog for Windows v1.7.2

All releases of these Agents that contain TLS encryption up to these release versions *are affected* by this vulnerability however the risk is very low due to the way these Agents use SSL/TLS. There is minimal risk as Snare Enterprise Agents donít run an SSL server, use predefined keys, certificates, or passwords for channel negotiations.

These upgrades are available for SNARE Alliance customers with a support agreement..

- Snare Enterprise Agent for Windows v4.2.3

- Snare Enterprise Agent for MSSQL v1.2.3

- Snare Enterprise Epilog for Windows v1.7.3

For technical support go to: https://www.snarealliance.com/snare-technical-supp...
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.