Unisys Information for VU#720951

OpenSSL TLS heartbeat extension read overflow discloses sensitive information

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Heartbleed bug – Public and Client Communication

Dear Unisys client,

Unisys prides itself on ensuring the mission-critical operations of our clients – and the security of your systems is a priority for us. I am writing to let you know how we are addressing any risks related to the Heartbleed bug that has been reported in the news and to provide you with information that may help you address your own risks.

Heartbleed is a software bug in the OpenSSL technology used to create a secure link over the Internet between a server and a computer asset such as a laptop or PC. The bug, which has existed for about two years but was only publicly disclosed last week, is believed to have affected a significant number of websites globally.

Unisys has undertaken a comprehensive review of our servers, products, and client-owned servers under our management for risks associated with the Heartbleed bug. Here’s what you need to know:

- We have not found any vulnerability in our public-facing Web servers. We continue to monitor the product advisories of our major vendors for any potential issues.

- The vast majority of our released products, including MCP, OS 2200, Forward!, Stealth, and Choreographer, are not vulnerable to the Heartbleed bug. Two instances of potential vulnerabilities were found in add-on products; in those cases, we have done remediation efforts and notified clients.

- The vast majority of client-owned servers under our management are not affected by the Heartbleed bug. For servers that may have been affected, we have notified the client and after consulting with the client, we are in the process of patching those servers, changing the server side certificates and instructing users to change their passwords.

- Currently, only version 1.0.1 - 1.0.1f of the open-source SSL is affected. We have upgraded any client-owned servers under our management to version 1.0.1g. We recommend that you check the other servers that you manage.

- Our Security Services team can help you in this process and can also perform a penetration test to determine if you are vulnerable and help you contain any resulting damage.

We stand ready to assist you. Please contact your Unisys representative or service delivery manager to discuss your requirements or to order a penetration test.

We appreciate your business.

Unisys

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.