Notified:  September 30, 2003 Updated: October 22, 2003

Status

Affected

Vendor Statement

Check Point products are vulnerable to: VU#732952 09/04/2003 OpenSSL accepts unsolicited client certificate messages VU#380864 09/30/2003 OpenSSL contains integer overflow handling ASN.1 tags (2) VU#255484 09/30/2003 OpenSSL contains integer overflow handling ASN.1 tags (1) A fix will be released by Oct 27th 2003. Check Point products are not vulnerable to: VU#686224 09/30/2003 OpenSSL does not securely handle invalid public key when configured to ignore errors VU#935264 09/30/2003 OpenSSL ASN.1 parser insecure memory deallocation

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 02, 2003

Status

Affected

Vendor Statement

Please see .

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

Cray Inc. supports OpenSSL through its Cray Open Software (COS) package. The OpenSSL version in COS 3.4 and earlier is vulnerable. Spr 726919 has been opened to address this.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 08, 2003

Status

Affected

Vendor Statement

Corrected OpenSSL packages are available in Debian Security Advisory 393, at http://www.debian.org/security/2003/dsa-393

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

F5 products BIG-IP, 3-DNS, ISMan and Firepass are vulnerable. F5 will have ready security patches for each of these products. Go to ask.f5.com for the appropriate security response instructions for your product.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: November 11, 2003

Status

Affected

Vendor Statement

Hitachi Web Server is Vulnerable to this issue. Impact is limited to Denial of Service, but process will re-start automatically. Fixes for this issue which will be available shortly. Hitachi GR2000 gigabit router series are NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

[AIX] The AIX Security Team is aware of the issues discussed in CERT Vulnerability Notes VU#255484, VU#380864, VU#686224, VU#935264 and VU#732952. OpenSSL is available for AIX via the AIX Toolbox for Linux. Please note that the Toolbox is made available "as-is" and is unwarranted. The Toolbox ships with OpenSSL 0.9.6g which is vulnerable to the issues referenced above. A patched version of OpenSSL will be provided shortly and this vendor statement will be updated at that time. Please note that OpenSSH, which is made available through the Expansion Pack is not vulnerable to these issues. [eServer] IBM eServer Platform Response For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID= In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to http://app-06.www.ibm.com/servers/resourcelink and follow the steps for registration. All questions should be refered to servsec@us.ibm.com.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

Ingrian Networks is aware of this vulnerablity and will issue a security advisory when our investigation is complete.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

The OpenSSL code included in domestic versions of JUNOS Internet Software that runs on all M-series and T-series routers is susceptible to these vulnerabilities. The SSL library included in Releases 2.x and 3.x of SDX provisioning software for E-series routers is susceptible to these vulnerabilities. Solution Implementation Corrections for all the above vulnerabilities are included in all versions of JUNOS built on or after October 2, 2003. Customers should contact Juniper Networks Technical Assistance Center (JTAC) for instructions on obtaining and installing the corrected code. SDX software built on or after October 2, 2003, contain SSL libraries with corrected code. Contact JTAC for instructions on obtaining and installing the corrected code.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

The vulnerabilities referenced by VU#255484, VU#380864, and VU#935264 have been corrected by packages released in our MDKSA-2003:098 advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 24, 2003

Status

Affected

Vendor Statement

The SSL implementation of the following Nortel Networks products is based on OpenSSL and may be affected by the vulnerabilities identified in NISCC Vulnerability Advisory 006489/OpenSSL: Alteon Switched Firewall Alteon iSD - SSL Accelerator Contivity Succession Communication Server 2000 - Compact (CS2K - Compact) Preside Service Provisioning Other Nortel Networks products with SSL implementations are being reviewed and this Vendor Statement may be revised. For more information please contact North America: 1-800-4NORTEL or 1-800-466-7835 Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009 Contacts for other regions are available at http://www.nortelnetworks.com/help/contact/global/ Or visit the eService portal at http://www.nortelnetworks.com/cs under Advanced Search. If you are a channel partner, more information can be found under http://www.nortelnetworks.com/pic under Advanced Search

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

Novell is reviewing our application portfolio to identify products affected by the vulnerabilities reported by the NISCC. We have the patched OpenSSL code and are reviewing and testing it internally, and preparing patches for our products that are affected. We expect the first patches to become available via our Security Alerts web site (http://support.novell.com/security-alerts) during the week of 6 Oct 2003. Customers are urged to monitor our web site for patches to versions of our products that they use and apply them expeditiously.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

Red Hat distributes OpenSSL 0.9.6 in various Red Hat Linux distributions and with the Stronghold secure web server. Updated packages which contain backported patches for these issues are available along with our advisories at the URL below. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2003-293.html Red Hat Linux 7.1, 7.2, 7.3, 8.0: http://rhn.redhat.com/errata/RHSA-2003-291.html Stronghold 4 cross-platform: http://rhn.redhat.com/errata/RHSA-2003-290.html Red Hat distributes OpenSSL 0.9.7 in Red Hat Linux 9. Updated packages which contain backported patches for these issues are available along with our advisory at the URL below. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Linux 9: http://rhn.redhat.com/errata/RHSA-2003-292.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 22, 2003

Status

Affected

Vendor Statement

The issues raised in this vulnerability report have been analysed in terms of impact on RSA BSAFE SSL-C, RSA BSAFE SSL-C Micro Edition, and RSA BSAFE Cert-C Micro Edition. None of these issues have been determined by RSA Security to be security critical, the products are either not impacted by the vulnerabilities raised or the impact is limited to additional Denial of Sevice opportunities. As part of RSA Security standard product support lifecycle, fixes for those vulnerabilities which are relevant for each product listed will be incorporated in the next maintenance release. RSA Security customers with current support and maintenance contracts may request a software upgrade for new product versions online at .

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Notified:  September 30, 2003 Updated: October 03, 2003

Status

Affected

Vendor Statement

We are aware of the issue and are diligently working on a fix. [CSSA-2003-SCO.25]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 15, 2003

Status

Affected

Vendor Statement

Sidewinder(r) and Sidewinder G2 Firewall(tm) (including all appliances) Sidewinder v5.x and Sidewinder G2 v6.x are not vulnerable to the arbitrary code execution attacks described in this advisory. The Sidewinder's embedded Type Enforcement technology strictly limits the capabilities of each component which implements SSL. Any attempt to exploit this vulnerability in the SSL library code running on the firewall results in an automatic termination of the attacker's connection and multiple Type Enforcement alarms. Any component attacked by the denial of service (DOS) attacks described in this advisory is automatically restarted by the firewall's watchdog process without interuption of any active connections. However, under some circumstances this DOS could cause a delay in managing the firewall. To mitigate this inconvenience, customers should contact Secure Computing Customer Support. Gauntlet(tm) & e-ppliance Gauntlet and e-ppliance do not include any components based on OpenSSL, and are thus immune to these vulnerabilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

SGI acknowledges receiving the vulnerabilities reported by CERT and NISCC. CAN-2003-0543 [VU#255484], CAN-2003-0544 [VU#380864] and CAN-2003-0545 [VU#935264] have been addressed by SGI Security Advisory 20030904-01-P: ftp://patches.sgi.com/support/free/security/advisories/20030904-01-P.asc No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported SGI operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

Stonesoft has published a security advisory that addresses the issues in vulnerability notes VU#255484 and VU#104280. The advisory is at http://www.stonesoft.com/document/art/3040.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 01, 2003

Status

Affected

Vendor Statement

Stunnel requires the OpenSSL libraries for compilation (POSIX) or OpenSSL DLLs for runtime operation (Windows). While Stunnel itself is not vulnerable, it's dependence on OpenSSL means that your installation likely is vulnerable. If you compile from source, you need to install a non-vulnerable version of OpenSSL and recompile Stunnel. If you use the compiled Windows DLLs from stunnel.org, you should download new versions which are not vulnerable. OpenSSL 0.9.7c DLLs are available at http://www.stunnel.org/download/stunnel/win32/openssl-0.9.7c/ No new version of Stunnel source or executable will be made available, because the problems are inside OpenSSL -- Stunnel itself does not have the vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 24, 2003

Status

Affected

Vendor Statement

Sun is currently investigating Solaris 7, 8, and 9 to determine the full potential impact of these SSL/TLS vulnerabilities. The Solaris Secure Shell daemon, sshd(1M), shipped with Solaris 9, is not affected by these vulnerabilities. Java Secure Sockets Extension 1.0.x and J2SE 1.4.x are also not affected. Sun Linux and Sun Cobalt both ship vulnerable versions of OpenSSL, a Sun Alert has been published here: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/57100

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Notified:  September 30, 2003 Updated: October 02, 2003

Status

Affected

Vendor Statement

All SuSE products are affected. Update packages are being tested and will be published on Wednesday, October 1st. [SuSE-SA:2003:043]

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.