It permits easy retrieval of SSL certificate private keys. I suspect it is because v7.4R8 supports TLS 1.1 and TLS 1.2, and that was not available until OpenSSL v1.
If it is vulnerable please advise whenthe updated firmware will be available.
Is anyone aware of when would the new IVE version be released for Virtual SA (DTE,STE) Appliances ? We are currently running on 7.4R8 tried upgrading it to 7.4R9.2 but it failes package intergrity check.
Ended up moving to 7.4R9.2 and still having issues with Pulse dropping on HC timeouts. After my initial 7.4R9.1 testing, I was unable to reproduce it. Tested more with 7.4R9.2 and didn't have any problems. Figured it was an anonomally and went ahead and deployed 7.4R9.2. Now have atleast 5 Pulse users reporting this disconnection behavior. Some have been resolved with reboots others have not. So far only afflicts Pulse. NC seems unphased.
There is a tool here which confirms our version running 7.4r8 is affected:
I'm just about to log a support ticket to see when this will be available.
8.0R3.0 is affected.
Here is another thread I have opened asking when we will see a Heartbleed fix.
I've opened a support ticket, and support is aware of the vulnerability but have not recieved an official release of information about patches from the security team yet.
I had to install 7.4r8 a couple of months ago to deal with the MS re-write of RDP - alas, it does look vulnerable and with the consent of my Departmental Director I've blocked external access (we are a large institution, impact is high). A patch would be very helpful right now.
Will we also have to refresh our certificates after the patch, given that the private keys must be considered compromised?
So do you guys just stop SSL-VPN service until the issue is resolved?
Yes, they must be considered compromised if the cert was used on a vulnerable host such as SSL VPN. We are facing the same issue.
We've already revoked the cert, the problem is whether we need to shutdown remote access for unknown period of time ...