Brocade Information for VU#720951

OpenSSL TLS heartbeat extension read overflow discloses sensitive information

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

TECHNICAL SUPPORT BULLETIN
April 10, 2014
________________________________________
TSB 2014-185-A SEVERITY:  Low - Information
________________________________________
PRODUCTS AFFECTED:
All Brocade products, including Vyatta

CORRECTED IN RELEASE:
All current releases of Brocade products, including Vyatta

BULLETIN OVERVIEW

The purpose of this bulletin is to provide information regarding the recently
disclosed vulnerability in the OpenSSL protocol documented by CVE-2014-0160 and
also known as "The Heartbleed bug."  This vulnerability takes advantage of the
heartbeat extensions to the OpenSSL protocol (RFC6520).

Brocade's family of IP products ADX, FCX, ICX, MLX, MLX-E, XMR CES, CER, RX,
SX, VDX offering ServerIron, FastIron, NetIron, RX, Network OS, Brocade Network
Advisor, Vyatta and vADX software and SAN products offering FOS software do not
make use of the heartbeat extensions and hence are not vulnerable to the
exploit documented in CVE-2014-0160.
In addition, the MyBrocade.com  web site does not use OpenSSL and is not
vulnerable to this issue.


PROBLEM STATEMENT
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not
properly handle Heartbeat Extension packets, which allows remote attackers to
obtain sensitive information from process memory via crafted packets that
trigger a buffer over-read, as demonstrated by reading private keys, related to
d1_both.c and t1_lib.c, aka the Heartbleed bug.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

RISK ASSESSMENT
There is no risk using Brocade products
SYMPTOMS
Not applicable.
WORKAROUND
No workaround is necessary.
CORRECTIVE ACTION
Not applicable.

Vendor References

None

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.