Quantcast
Channel: Ivanti User Community : All Content - General
Viewing all articles
Browse latest Browse all 415

CVE-2014-0160 aka the HeartBleed bug

$
0
0

LANDESK is aware of the vulnerability inside of OpenSSL and we are currently in the process of investigating it. We will update this document with further information as we have it.  We appreciate your patience.

 

As updates are available, including any additional information about how this vulnerability affects LANDESK products and progress for any updates or patches, it will be added to this document.

 

What is this vulnerability?

There is a bug in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

 

From CVE: "The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug."

 

For more information, please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 and http://heartbleed.com/

 

How does this affect LANDESK?

Affected Product(s)

LANDESK Management Suite / Security Suite 9.5 and later

LANDESK Cloud Services Appliance 4.2 with OpenSSL update/patch and later

LANDESK Cloud Services Appliance 4.3 and later

 

Non-Affected Product(s)

LANDESK Management Suite 9.0 and earlier (uses prior, unaffected version of OpenSSL)

LANDESK Cloud Services Appliance 4.2 (without OpenSSL update/patch)

LANDESK Asset Lifecycle Manager

LANDESK Service Desk, including Service Desk as a Service (SDaas)

Mobility products including Wavelink, Avalanche on Demand, and LANDESK Mobility Management

Shavlik Products

Other LANDESK Cloud Services

 

Additionally, none of the LANDESK customer or partner-facing websites are impacted by this vulnerability.

 

More Details

The following outlines additional details about affected products, services and updates

 

Internal Network(s)

LANDESK Management Suite Core Server

Can potentialy impact communication between the Core and the Cloud Services Appliance. See below for more information about the CSA

Communication via IIS is not affected.

LANDESK is working on an update to address these concerns and will update this document as appropriate

Package Server

Any package server being used by LANDESK that might use OpenSSL could be affected. An Apache web server or NAS device for example. Please check with the appropriate party for an update to these applications or servers.

LANDESK will not be producing any update or change to address any third party applications or servers.

 

LANDESK Management Suite Client

The vulnerable OpenSSL libraries are used in the LANDESK CBA Client component. However this service operates on non-standard ports. There is also an additional layer of protection afforded by the authentication these services require.

LANDESK is working on an update to address these concerns and will update this document as appropriate

 

 

External Network(s)

Cloud Services Appliance

All data on the Cloud Services Appliance is encrypted using SHA1. The data that could be exposed through this vulnerability will not grant access to usernames or passwords.

We anticipate we will have a patch for the 4.3 Cloud Services Appliance available by 04/18/2014.

 

- LANDESK Support


Viewing all articles
Browse latest Browse all 415

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>