000017365 - OpenSSL Multiple Vulnerabilities in RSA products

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000017365
Applies ToOpenSSL
Vulnerability
Issue

OpenSSL Multiple Vulnerabilities in RSA products

Cause

EMC CONFIDENTIAL ? SUBJECT TO CONFIDENTIALITY PROVISIONS IN LICENSE AGREEMENT


Impact: The OpenSSL project released a security advisory on June 5, 2014 disclosing multiple vulnerabilities in OpenSSL. It can be found at


https://www.openssl.org/news/secadv_20140605.txt


These issues have the following CVEs:



  • SSL/TLS MITM vulnerability - CVE-2014-0224


  • DTLS recursion flaw - CVE-2014-0221


  • DTLS invalid fragment vulnerability - CVE-2014-0195


  • SSL_MODE_RELEASE_BUFFERS NULL pointer deference - CVE-2014-0198


  • SSL_MODE_RELEASE_BUFFERS session injection or denial of service - CVE-2010-5298


  • Anonymous ECDH denial of service - CVE-2014-3470


  • FLUSH+RELOAD cache side-channel attack - CVE-2014-0076

These issues apply to:



  • OpenSSL versions prior to 0.9.8za


  • OpenSSL version 1.0.0 prior to version 1.0.0m

  • OpenSSL version 1.0.1 prior to version 1.0.1h
Resolution

Resolution: RSA is aware of this issue and working with product organizations to investigate the issue and identify the impact. The impact of these


vulnerabilities on RSA products may vary depending on the affected product.


This table will be updated as additional information becomes available.


 RSA Product Name Versions ImpactComment
 3D Secure ALL Supported No Impact 
 Access Manager ALL Supported No Impact 
 Adaptive Authentication Hosted ALL Supported No Impact 
 Adaptive Authentication On Prem ALL Supported No Impact 
 Archer ALL Supported No Impact 
 Authentication Manager 5.x,6.x,7.x No Impact 
 Authentication Manager 8.x ImpactedOnly customers with Read-Only DB access are impacted and at low risk
 Aveksa ALL Supported No Impact 
 Aveksa StealthAUDIT  Impacted Remediation plan in progress
 BSAFE ALL Supported No Impact 
 Data Loss Protection 9.6.x Impacted Remediation plan in progress
 Data Protection Manager ALL Supported No Impact 
 Digital Certificate Server ALL Supported No Impact 
 ECAT ALL Supported No Impact 
 enVision ALL Supported No Impact 
 Federated Identity Manager ALL Supported No Impact 
 FraudAction ALL Supported No Impact 
 Netwitness 9.6, 9.7 No Impact 
 Netwitness 9.8.x Impacted Remediation plan in progress
 RSA Live Infrastructure ALL Supported Impacted Remediated
 SecurID 700 Hardware Token ALL Supported No Impact 
 SecurID 800 Hardware Token ALL Supported No Impact 
 SecurID Agent for PAM ALL Supported No Impact 
 SecurID Agent for UNIX ALL Supported No Impact 
 SecurID Agent for Web ALL Supported No Impact 
 SecurID Agent for Windows ALL Supported No Impact 
 SecurID Authentication Client ALL Supported No Impact 
 SecurID Authentication Engine ALL Supported No Impact 
 SecurID Authentication SDK ALL Supported No Impact 
 SecurID Software Token Converter ALL Supported No Impact 
 SecurID Software Token for Android ALL Supported No Impact 
 SecurID Software Token for Blackberry ALL Supported No Impact 
 SecurID Software Token for Desktop ALL Supported No Impact 
 SecurID Software Token for iPhone ALL Supported No Impact 
 SecurID Software Token for Windows Mobile ALL Supported No Impact 
 SecurID Software Token Toolbar ALL Supported No Impact 
 SecurID Software Token Web SDK ALL Supported No Impact 
 SecurID Transaction Signing SDK ALL Supported No Impact 
 Security Analytics 10.0.x-10.3.x
  

 Impacted


  
 Remediation plan in progress
 Security Analytics (Windows Legacy Collector) ALL Supported  Impacted Remediation plan in progress
 Web Threat Detection (Silvertail) ALL Supported No Impact 


 
Legacy Article IDa66169

Attachments

    Outcomes