cancel
Showing results for 
Search instead for 
Did you mean: 

Please confirm whether your firmware is affected by the new OpenSSL defect

Highlighted
Frequent Contributor

Please confirm whether your firmware is affected by the new OpenSSL defect

It permits easy retrieval of SSL certificate private keys. I suspect it is because v7.4R8 supports TLS 1.1 and TLS 1.2, and that was not available until OpenSSL v1.

 

If it is vulnerable please advise whenthe updated firmware will be available.

 

Thanks,

 

Ray

42 REPLIES 42
Highlighted
New Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Is anyone aware  of when would the new IVE version be released for Virtual SA (DTE,STE) Appliances ? We are currently running on 7.4R8 tried upgrading it to 7.4R9.2 but it failes package intergrity check.

Highlighted
Occasional Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Ended up moving to 7.4R9.2 and still having issues with Pulse dropping on HC timeouts. After my initial 7.4R9.1 testing, I was unable to reproduce it. Tested more with 7.4R9.2 and didn't have any problems. Figured it was an anonomally and went ahead and deployed 7.4R9.2. Now have atleast 5 Pulse users reporting this disconnection behavior. Some have been resolved with reboots others have not. So far only afflicts Pulse. NC seems unphased.

Highlighted
Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

There is a tool here which confirms our version running 7.4r8 is affected:

 

http://filippo.io/Heartbleed/

 

I'm just about to log a support ticket to see when this will be available.

Highlighted
New Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

8.0R3.0 is affected.

 

Here is another thread I have opened asking when we will see a Heartbleed fix.

Highlighted
Not applicable

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

I've opened a support ticket, and support is aware of the vulnerability but have not recieved an official release of information about patches from the security team yet.

Highlighted
Not applicable

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

I had to install 7.4r8 a couple of months ago to deal with the MS re-write of RDP - alas, it does look vulnerable and with the consent of my Departmental Director I've blocked external access (we are a large institution, impact is high). A patch would be very helpful right now.

 

Will we also have to refresh our certificates after the patch, given that the private keys must be considered compromised?

Highlighted
Occasional Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

So do you guys just stop SSL-VPN service until the issue is resolved?

Highlighted
Not applicable

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Yes, they must be considered compromised if the cert was used on a vulnerable host such as SSL VPN.  We are facing the same issue.

Highlighted
Occasional Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

We've already revoked the cert, the problem is whether we need to shutdown remote access for unknown period of time ...