Created on 10-05-2016 01:02 AM Edited on 05-26-2022 07:21 AM By Anonymous
Description
This article is to address the new vulnerability that has been found on openssl 1.0.1 - 1.0.1f (inclusive)
Common Vulnerabilities and Exposure bug: CVE-2014-0160
Please click on the link for further details: http://heartbleed.com/
How to check if you're vulnerable:
SSH into Each Accelops Super or Workers and Collectors for each version that you have that is different:
Run the following commands:
Example output:
[root@super ~]# rpm -qa | grep openssl
openssl-0.9.8e-26.el5_9.1
openssl-0.9.8e-26.el5_9.1
[root@super ~]# openssl
OpenSSL> version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Please compare that to the following information below (Extracted from HeartBleed.com)
Status of different versions:
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Basically what the above means:
If you are on openSSL v0.9.8 (all revisions within this branch) or openSSL v1.0.0 (all revisions within this branch) or openSSL v1.0.1g (all revision on THIS and AFTER) then you are NOT vulnerable to this bug.
If you are on openSSL versions 1.0.1 -> 1.0.1f (inclusive) then you ARE vulnerable.
Currently 3.7.x customers will most likely be utilizing 0.9.8fips and will not be affected.
It will be a good idea to double check if there was any modifications or customizations done to your AO environment.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.