aep NETWORKS

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apache HTTP Server Project

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apple

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ARM mbed TLS

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

BoringSSL

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Botan

Notified:  November 15, 2017 Updated: November 20, 2017

Statement Date:   November 16, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Certicom

Notified:  December 12, 2017 Updated: December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Check Point Software Technologies

Updated:  December 14, 2017

Statement Date:   December 14, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco

Notified:  November 15, 2017 Updated: December 14, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco ACE is affected, and assigned CVE-2017-17428 Cisco ASA is affected and assigned CVE-2017-12373 Please see Cisco's security advisory for full vendor statement.

Vendor References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher

Citrix

Notified:  November 15, 2017 Updated: December 12, 2017

Statement Date:   December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Citrix NetScaler ADC and Gateway - CVE-2017-17382

Vendor References

https://support.citrix.com/article/CTX230238

CREDANT Technologies, Inc.

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cryptlib

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Crypto++ Library

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Dell EMC

Notified:  November 15, 2017 Updated: November 29, 2017

Statement Date:   November 28, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

EMC does not develop TLS stacks and so is unaffected.

Erlang

Updated:  December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

This vulnerability was assigned CVE-2017-1000385.

Vendor References

http://erlang.org/pipermail/erlang-questions/2017-November/094255.html http://erlang.org/pipermail/erlang-questions/2017-November/094256.html http://erlang.org/pipermail/erlang-questions/2017-November/094257.html

F5 Networks, Inc.

Notified:  November 15, 2017 Updated: November 20, 2017

Statement Date:   November 17, 2017

Status

  Affected

Vendor Statement

F5 Networks made a public announcement of this issue today as CVE-2017-6168 – please see https://support.f5.com/csp/article/K21905460

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.f5.com/csp/article/K21905460

Fortinet, Inc.

Updated:  December 22, 2017

Statement Date:   December 22, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

GnuPG

Notified:  December 12, 2017 Updated: December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

GnuTLS

Notified:  November 15, 2017 Updated: December 13, 2017

Statement Date:   December 13, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Google

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Go Programming Language

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IAIK Java Group

Notified:  November 15, 2017 Updated: December 06, 2017

Statement Date:   December 06, 2017

Status

  Not Affected

Vendor Statement

iSaSiLk TLS is not affected.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM, INC.

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Legion of the Bouncy Castle

Notified:  November 15, 2017 Updated: December 12, 2017

Statement Date:   December 12, 2017

Status

  Affected

Vendor Statement

BouncyCastle TLS servers, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, contained a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange was negotiated. This specifically includes servers using the BCJSSE provider in its default configuration. Affected software: bctls-fips-1.0.2.jar and earlier versions bctls-jdk15on-1.58.jar and earlier versions Note that the older TLS implementation (in the org.bouncycastle.crypto.tls package) is not vulnerable. For FIPS users, the issue is fixed in bctls-fips-1.0.3.jar We recommend all FIPS users upgrade as soon as possible. For the regular API, version 1.59 containing the fix is expected to be available before the end of 2017. In the meantime, beta versions beginning with 1.59b09 contain the fix, and are available from https://downloads.bouncycastle.org/betas/ . We recommend users upgrade immediately to bctls-jdk15on-159b09.jar and then upgrade to the full 1.59 release as soon as it is available. If continuing to deploy vulnerable versions, we strongly recommend disabling TLS cipher suites that use RSA key exchange.

Vendor Information

CVE-2017-13098 was assigned to BouncyCastle.

Vendor References

https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c

libgcrypt

Notified:  December 12, 2017 Updated: December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

LibreSSL

Notified:  December 12, 2017 Updated: December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

LibTom

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

MatrixSSL

Notified:  November 15, 2017 Updated: December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

MatrixSSL was previously known affected in versions prior to 3.8.3, and assigned CVE-2016-6883.

Vendor References

https://github.com/matrixssl/matrixssl/blob/master/doc/CHANGES.md#changes-in-383

Micro Focus

Notified:  November 15, 2017 Updated: March 22, 2018

Statement Date:   March 22, 2018

Status

  Affected

Vendor Statement

Certain versions of Micro Focus Host Access Management and Security Server, Reflection for the Web, Reflection ZFE and Verastream Software Development Kit for Unisys and Airlines are affected by CVE-2017-13098. Updates which address the issue are available for these products. More information is available at https://support.microfocus.com/kb/doc.php?id=7022561.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.microfocus.com/kb/doc.php?id=7022561

Microsoft Corporation

Notified:  November 15, 2017 Updated: December 12, 2017

Statement Date:   December 12, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Microsoft is not affected in default configurations.

mod_ssl

Notified:  December 12, 2017 Updated: December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nettle

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenSSL

Notified:  November 15, 2017 Updated: November 20, 2017

Statement Date:   November 17, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation

Notified:  November 15, 2017 Updated: December 18, 2017

Statement Date:   December 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

According to the reporter, Java/JSSE were previously known vulnerable in 2012 and assigned CVE-2012-5081. We do not currently have any verification that CVE-2012-5081 was a Bleichenbacher-style vulnerability, but the vulnerability was resolved in 2012 in any case. Please ensure you are using the release of any products since 2012.

Vendor References

https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

Palo Alto Networks

Notified:  December 12, 2017 Updated: December 12, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PGP Corporation

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

RSA Security LLC

Notified:  November 15, 2017 Updated: December 13, 2017

Statement Date:   November 28, 2017

Status

  Not Affected

Vendor Statement

RSA BSAFE TLS stacks are not vulnerable to the reported vulnerability.

Vendor Information

Please see the statement below. The URL requires RSA Link Support credentials.

Vendor References

https://community.rsa.com/docs/DOC-85268

s2n

Notified:  November 15, 2017 Updated: December 08, 2017

Statement Date:   December 07, 2017

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SafeNet

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Spyrus

Notified:  November 15, 2017 Updated: November 15, 2017

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Updated:  March 22, 2018

Statement Date:   March 22, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The following products are NOT impacted, please see the vendor's security advisory for more information. VMware ESXi Site Recovery Manager vCloud Director for Service Providers vRealize Automation vRealize Business for Cloud vRealize Orchestrator vRealize Operations

Vendor References

https://kb.vmware.com/s/article/53106

wolfSSL

Notified:  December 12, 2017 Updated: December 12, 2017

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Assigned CVE-2017-13099

Vendor References

https://github.com/wolfSSL/wolfssl/pull/1229