CTComp has been aware of the OpenSSL vulnerability known as HeartBleed since it was made public on April 8th (https://www.us-cert.gov/ncas/alerts/TA14-098A). The vulnerability is in the code for OpenSSL versions 1.0.1 through 1.0.1f (inclusive). The main issue is that various operating systems, web servers, and network appliances may use this code in their software. We are currently researching the implications of this vulnerability to the products that we support. The only ways to mitigate the risk presented by the HeartBleed vulnerability are to either completely segregate the affected device from the Internet or wait for the manufacturer to provide a patch for the affected system(s). Our research up to this point has found the following:
– Microsoft OWA (Outlook Web Access) and Exchange are NOT affected by this vulnerability.
– Citrix Secure Gateway and Citrix Web Interface sites running on Microsoft IIS web servers are NOT affected by this vulnerability. http://support.citrix.com/article/CTX140605
– VMWare ESXi 5.5 is affected by this vulnerability; however, previous versions of VMWare ESXi/ESX are NOT affected by this vulnerability. VMWare plans on releasing updates by 4/19. The risk in this case is mitigated by the fact that ESXi servers are not published to the Internet via SSH or SSL when installed by CTComp. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
– Symantec Endpoint Protection Management Consoles 12.1 RU2 through 12.1 RU4 MP1 (inclusive) are affected by this vulnerability; however, the risk is mitigated by the fact that SEPM consoles are not published to the Internet when installed by CTComp. http://www.symantec.com/business/support/index?page=content&id=TECH216558
– TrendMicro’s investigations have not found any vulnerable products to date. http://esupport.trendmicro.com/solution/en-US/1103084.aspx
– Cisco IOS and ASA are not vulnerable . Cisco is currently working on addressing the impact of this vulnerability on other products and will continue to post details here: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
– Cisco AnyConnect Client for Apple IOS is affected – update your Apple IOS with the patch that came out 4/11 to mitigate the vulnerability. AnyConnect Client on Windows and Android are not affected.
– Most Linux-based operating systems are affected by this vulnerability so any network appliance you might be running that is based on the Linux OS might be affected by this vulnerability. We are currently researching the various appliances that we support
The bottom line is that you must wait until the vendor releases a patch/upgrade to their software that is affected. CTComp recommends all systems that have security patches released be patched. If your Master Agreement has Yearly updates or Patching for an affected product, CTComp will automatically create a ticket to patch your affected system. If your product is not included in the Master Agreement, you would need to patch the system personally or place a service call to update your affected system. If you would like to speak to someone in service regarding your specific needs feel free to create a service ticket (Service@ctcomp.com) and we will have a technician follow up with you.
Revision 1.0 4/11/2014 – Initial Notice posted to CTComp Customers – Emailed sent to clients to refer to this page 4:54pm
Revision 1.1 4/14/2014 – Updated VMware and Cisco Information, added bottom line paragraph to further explain the mitigation.