Based on a heartbleed check tool looking at my org's SSL VPN sign-in page, it appears MAG devices running 8.0R3.0 are affected. I'm unsure about 7.4R8.0.
I'm shocked there isn't any mention on it in the Secuirty Advisories, nor other sections of the support portal.
I'm hopeful a patch is coming soon as I may wind up needing to unplug my MAG, adding insult to the injury of having to force all my VPN users to change their credentials.
Stewart in other thread says it is vulnerable and I also test and gave positive.
We also have SSLVPN from Checkpoint and those are not vulnerable.
The Juniper Networks Security Incident Response Team (SIRT) is aware of the vulnerability and working on fixes to address potential risks to some Juniper products. A Juniper Security Advisory will be published soon and updated as new details become available. We encourage our customers to contact JuniperÕs Customer Support Center for detailed advisories and product updates. We work with customers running vulnerable products very closely to ensure they take the appropriate steps we have identified and deploy any necessary updates or mitigations in a timely manner.
We will post news and bulletins here once they become available.
You may want to subscribe for updates. I was just creating a post to write up about it yesterday, and was about to make the same complaint, when I got the email update. I was up till late in the morning and saw it. As Jewells indicated, it is posted. I guess making a headline about it would just be asking for all hackers and malevolents out there to direct their attention to Juniper devices.
A new product security advisory has been released. This message contains the link to the new Juniper Security Advisory (JSA) that has been released.
JSA10623 2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL "Heartbleed" issue (CVE-2014-0160)
NOTE: A Security Advisory is a formal notice regarding critical and/or potentially service-affecting hardware and software security issues. The Security Advisory process allows the proactive communication of pertinent information to both customers and partners. Please report any potential or real instances of security vulnerabilities with any Juniper Networks product to the Juniper Networks Security Incident Response Team (Juniper SIRT) at [email protected]
KB29004 is out there with the links to the new downloads.
Appears the fix has been released for a lot of affected products.
When should we expect the new version for Virtual SA appliances (DTE,STE) tried upgrading our's to 7.4R9.2 but it failed.