Software Engineering Institute

Notified:  April 08, 2014 Updated: April 09, 2014

Statement Date:   April 09, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We have determined that the following products are vulnerable:

FortiGate (FortiOS) 5.0 and higher
FortiAuthenticator 3.0 and higher
FortiMail 5.0 and higher
FortiVoice (all versions)
FortiRecorder (all versions)

Vendor References

• http://www.fortiguard.com/advisory/FG-IR-14-011/

Notified:  April 08, 2014 Updated: April 09, 2014

Statement Date:   April 08, 2014

Status

Affected

Vendor Statement

FreeBSD 10.0-RELEASE, 10.0-STABLE and 11.0-CURRENT have been patched

for this issue (CVE-2014-0160/VU #720951), both in source and binary
(via freebsd-update) forms. Earlier FreeBSD releases are not affected
by this issue.

Vendor References

• http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc

Notified:  April 08, 2014 Updated: April 23, 2014

Statement Date:   April 23, 2014

Status

Affected

Vendor Statement

We have determined that GTA firewalls running the following versions of GB-OS are vulnerable and should be upgraded to the indicated version.

GB-OS version 6.1.0 to 6.1.5 are vulnerable and should upgrade to GB-OS 6.1.6
GB-OS version 6.0.0 to 6.0.7 are vulnerable and should upgrade to GB-OS 6.0.8

Customers using GTA firewalls with an unsupported version of GB-OS should upgrade to a currently supported version.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Notified:  April 08, 2014 Updated: May 27, 2014

Statement Date:   April 16, 2014

Status

Affected

Vendor Statement

Hitachi has published the below advisory on its website. Please refer
the advisory for additional information. This advisory includes
Hitachi products for Industrial Control Platform.

HIRT-PUB14005: OpenSSL TLS heartbeat extension read overrun issue in
Hitachi products (VU#720951, CVE-2014-0160)
http://www.hitachi.com/hirt/publications/hirt-pub14005/index.html

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://www.hitachi.com/hirt/publications/hirt-pub14005/index.html

Updated:  April 15, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Recently a serious security vulnerability was discovered in the OpenSSL
cryptographic software
library. MarkLogic application servers can be configured to use SSL, and
MarkLogic uses OpenSSL to
provide this capability. A patch to OpenSSL has been released to address
this vulnerability, and
MarkLogic has built patches for all impacted MarkLogic versions with
OpenSSL 1.0.1g to incorporate
this new fix.



Impacted Versions



The following versions of MarkLogic are impacted by this vulnerability:

·            MarkLogic 5.0-5 through 5.0-6

·            All versions of MarkLogic 6.0 (6.0-1 through 6.0-5)

·            All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2),
including the MarkLogic AMIs



MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that
does not have this
vulnerability.



How to Patch



We recommend that customers who are using SSL patch their systems
immediately. To do this:

1.          Upgrade your cluster to the patch release, available at
http://developer.marklogic.com/products.

Patch release versions are as follows:

o   MarkLogic 5.0-6.1

o   MarkLogic 6.0-5.1

o   MarkLogic 7.0-2.3

2.          Regenerate all SSL certificates for your cluster. This is
necessary because the
vulnerability is such that private keys for your certificates are
potentially compromised. See
𠇌onfiguring SSL on App Servers” in the documentation:

o   MarkLogic 5 documentation:
http://docs.marklogic.com/5.0/guide/admin/SSL#chapter

o   MarkLogic 6 documentation:
http://docs.marklogic.com/6.0/guide/admin/SSL#chapter

o   MarkLogic 7 documentation:
http://docs.marklogic.com/guide/admin/SSL#chapter

3.          If you are using BASIC or Application Level Authentication over
SSL, have all your
users change their passwords after you've patched and deployed new SSL
certificates. This includes
both internal users in our security database, and anyone using external
authentication (which
requires BASIC authentication over SSL). This is necessary because the
vulnerability may have
resulted in password leaks.



If you have any questions about how to patch, feel free to contact
support@marklogic.com.



More information about the heartbleed vulnerability can be found at
http://heartbleed.com or
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.

Updated:  May 05, 2014

Statement Date:   May 05, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

http://nvidia.custhelp.com/app/answers/detail/a_id/3492

Notified:  April 08, 2014 Updated: April 08, 2014

Statement Date:   April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

NetBSD is vulnerable (in the version 6 train, not in the version 5 train) pkgsrc is vulnerable (1.0.1 versions of OpenSSL packages below 1.0.1g, no surprises there)

Vendor References

• http://mail-index.netbsd.org/security-announce/2014/04/08/msg000085.html

Notified:  April 08, 2014 Updated: April 17, 2014

Statement Date:   April 17, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Heartbleed bug – Public and Client Communication

Dear Unisys client,

Unisys prides itself on ensuring the mission-critical operations of our clients – and the security of your systems is a priority for us. I am writing to let you know how we are addressing any risks related to the Heartbleed bug that has been reported in the news and to provide you with information that may help you address your own risks.

Heartbleed is a software bug in the OpenSSL technology used to create a secure link over the Internet between a server and a computer asset such as a laptop or PC. The bug, which has existed for about two years but was only publicly disclosed last week, is believed to have affected a significant number of websites globally.

Unisys has undertaken a comprehensive review of our servers, products, and client-owned servers under our management for risks associated with the Heartbleed bug. Here’s what you need to know:

-We have not found any vulnerability in our public-facing Web servers. We continue to monitor the product advisories of our major vendors for any potential issues.

-The vast majority of our released products, including MCP, OS 2200, Forward!, Stealth, and Choreographer, are not vulnerable to the Heartbleed bug. Two instances of potential vulnerabilities were found in add-on products; in those cases, we have done remediation efforts and notified clients.

-The vast majority of client-owned servers under our management are not affected by the Heartbleed bug. For servers that may have been affected, we have notified the client and after consulting with the client, we are in the process of patching those servers, changing the server side certificates and instructing users to change their passwords.

-Currently, only version 1.0.1 - 1.0.1f of the open-source SSL is affected. We have upgraded any client-owned servers under our management to version 1.0.1g. We recommend that you check the other servers that you manage.

-Our Security Services team can help you in this process and can also perform a penetration test to determine if you are vulnerable and help you contain any resulting damage.

We stand ready to assist you. Please contact your Unisys representative or service delivery manager to discuss your requirements or to order a penetration test.

We appreciate your business.

Unisys

Notified:  April 08, 2014 Updated: April 22, 2014

Statement Date:   April 09, 2014

Status

Affected

Vendor Statement

VMware has released product updates and patches for all affected products

listed in VMware Knowledge Base article 2076225.

Vendor Information

VMware Security Advisory VMSA-2014-0004 lists the updated products and
patch releases that address CVE-2014-0160 in VMware products and provides
references to specific product documentation.

Vendor References

• http://www.vmware.com/security/advisories/VMSA-2014-0004.html
• http://kb.vmware.com/kb/2076225

Notified:  April 08, 2014 Updated: April 11, 2014

Statement Date:   April 08, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Wind River has investigated its products regarding the heart blead vulnerability. The conclusion is:

VxWorks is not vulnerable.
WR Linux 3.x and 4.x are not vulnerable.
WR Linux 5.0.1.x is vulnerable if the optional openssl-1.0.1 package is installed.
WR Linux 6.0.0.x is vulnerable.
INP 3.4 is vulnerable.

Wind River customers can find additional information, e.g. fixes, at the online support web site https://support.windriver.com/

Vendor References

• https://support.windriver.com/