000027874 - KB-1707 Does ?Heartbleed? impact Aveksa ACM / RSA IAM?

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027874
Applies ToAll Versions
Heartbleed, OpenSSL
RSA Identity Management and Governance
IssueSeveral Internet websites provide information about the 'Heartbleed' vulnerability. This is a summary of one noted on WikiPedia: 'Heartbleed' is a security bug in the open-source OpenSSL cryptography library, which is widely used to implement the Internet's Transport Layer Security (TLS) protocol. Heartbleed results from improper input validation (due to a missing bounds check) in the implementation of the Transport Layer Security (TLS) heartbeat extension, the heartbeat being behind the bug's name. This vulnerability is classified as a buffer over-read. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, only about 17% of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords
KB-1707 Does ?Heartbleed? impact Aveksa ACM / RSA IAM?
Resolution

RSA is aware of this issue and working with Product Organizations to investigate the issue and identify the impact.
The impact of this vulnerability on RSA products may vary depending on the affected product.


 


RSA has confirmed that RSA Aveksa ACM / IAM  is not affected by this vulnerability.


 


Please refer to the attached document for a more complete listing of RSA product and potential impact.
 
We will continue to update the information as our review and remediation continues using our standard customer communication channels (including Security Advisories).
 


References to various sources of infomation related to this vulnerability:



- Original disclosure: http://heartbleed.com/  


  OpenSSL versions 1.0.1 through 1.0.1f are indicated to be vulnerable to Heartbeat Vulnerability (CVE-2014-0160). 


- For infomation Redhat update packages that remediates this vulnerability labeled with version openssl-1.0.1e-16.el6_5.7


  https://rhn.redhat.com/errata/RHSA-2014-0376.html


  https://access.redhat.com/site/solutions/781793 
- US CERT: http://www.kb.cert.org/vuls/id/720951



- NVD: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160&cid=2

NotesDoes ?Heartbleed? impact Aveksa ACM / RSA IAM? 
Legacy Article IDa66706

Attachments

    Outcomes