Brocade Information for VU#720951
OpenSSL TLS heartbeat extension read overflow discloses sensitive information
- Vendor Information Help Date Notified:
- Statement Date:
- Date Updated: 11 Apr 2014
No statement is currently available from the vendor regarding this vulnerability.
TECHNICAL SUPPORT BULLETIN
April 10, 2014
TSB 2014-185-A SEVERITY: Low - Information
All Brocade products, including Vyatta
CORRECTED IN RELEASE:
All current releases of Brocade products, including Vyatta
The purpose of this bulletin is to provide information regarding the recently
disclosed vulnerability in the OpenSSL protocol documented by CVE-2014-0160 and
also known as "The Heartbleed bug." This vulnerability takes advantage of the
heartbeat extensions to the OpenSSL protocol (RFC6520).
Brocade's family of IP products ADX, FCX, ICX, MLX, MLX-E, XMR CES, CER, RX,
SX, VDX offering ServerIron, FastIron, NetIron, RX, Network OS, Brocade Network
Advisor, Vyatta and vADX software and SAN products offering FOS software do not
make use of the heartbeat extensions and hence are not vulnerable to the
exploit documented in CVE-2014-0160.
In addition, the MyBrocade.com web site does not use OpenSSL and is not
vulnerable to this issue.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not
properly handle Heartbeat Extension packets, which allows remote attackers to
obtain sensitive information from process memory via crafted packets that
trigger a buffer over-read, as demonstrated by reading private keys, related to
d1_both.c and t1_lib.c, aka the Heartbleed bug.
There is no risk using Brocade products
No workaround is necessary.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.