How quickly can we expect a patch for our K1000 and the SSL heartbleed bug?  

Answer Summary:
Cancel
4 Comments   [ + ] Show Comments

Comments

  • Or....is our KACE using a different version of OpenSSL that is not an issue?
  • the vulnerability CVE-2014-0160 you are referring to here is only affecting "(1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g" (so 1.0.2 beta as well), this information can be retrieved via "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160";

    We are using OpenSSL 0.9.8y 5 from February 2013 on our appliances which means to our current knowledge we are not affected by this.
  • Here's Dell's answer:
    http://www.kace.com/support/resources/kb/solutiondetail?sol=SOL122931
  • Perfect, thank you for the replies. Just trying to make sure all my appliances and servers are updated.
Please log in to comment

Community Chosen Answer

2

the K1000 and K2000 are running on a "safe" version.

the K3000 is affected.
There will be a quick patch release.
http://www.kace.com/de/support/resources/kb/solutiondetail?sol=SOL122931
(I assume this week but wwe will see)

Answered 04/09/2014 by: Nico_K
Red Belt

  • Thanks Nico_K. Just curious, which version do K1000 run on? Just good to know
Please log in to comment

Answers

1

Hi guys, just to make this more clear, if I have issued the certs for the K3000 via the K1000 appliance, there's no problem? I am confused.

Answered 04/10/2014 by: elvenil
Senior Purple Belt

  • You are still vulnerable.
    The hearbleed issue doesn't affect cert generation (or anything cryptographic at all as such), it affects how hearbeat packets sent from a client are handled internally where you can do a "buffer underflow" attack making the server leak memory contents (this is the issue..that memory content can be anything, including encryption keys, username/password, etc), you also can NOT turn this behaviour off with less than recompiling OpenSSL with the proper affected hearbeat code left out completely.

    This means that every installation of OpenSSL 1.0.1 (pre 1.0.1g) (that is connected to a network with the ability to accept encrypted connections) is very much vulnerable no matter what you do.
Please log in to comment
0

the vulnerability CVE-2014-0160 you are referring to here is only affecting "(1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g" (so 1.0.2 beta as well), this information can be retrieved via "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160"; 

 

We are using OpenSSL 0.9.8y 5 from February 2013 on our appliances which means to our current knowledge we are not affected by this.

Answered 04/09/2014 by: tk72
Senior White Belt

Please log in to comment
Answer this question or Comment on this question for clarity