K1000 SSL Heartbleed bug
How quickly can we expect a patch for our K1000 and the SSL heartbleed bug?
Answers (3)
the K1000 and K2000 are running on a "safe" version.
the K3000 is affected.
There will be a quick patch release.
http://www.kace.com/de/support/resources/kb/solutiondetail?sol=SOL122931
(I assume this week but wwe will see)
Comments:
-
Thanks Nico_K. Just curious, which version do K1000 run on? Just good to know - johe 10 years ago
Hi guys, just to make this more clear, if I have issued the certs for the K3000 via the K1000 appliance, there's no problem? I am confused.
Comments:
-
You are still vulnerable.
The hearbleed issue doesn't affect cert generation (or anything cryptographic at all as such), it affects how hearbeat packets sent from a client are handled internally where you can do a "buffer underflow" attack making the server leak memory contents (this is the issue..that memory content can be anything, including encryption keys, username/password, etc), you also can NOT turn this behaviour off with less than recompiling OpenSSL with the proper affected hearbeat code left out completely.
This means that every installation of OpenSSL 1.0.1 (pre 1.0.1g) (that is connected to a network with the ability to accept encrypted connections) is very much vulnerable no matter what you do. - TomasKS 10 years ago
the vulnerability CVE-2014-0160 you are referring to here is only affecting "(1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g" (so 1.0.2 beta as well), this information can be retrieved via "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160";
We are using OpenSSL 0.9.8y 5 from February 2013 on our appliances which means to our current knowledge we are not affected by this.
We are using OpenSSL 0.9.8y 5 from February 2013 on our appliances which means to our current knowledge we are not affected by this. - tk72 10 years ago
http://www.kace.com/support/resources/kb/solutiondetail?sol=SOL122931 - HomerM 10 years ago