ACCESS

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Alcatel-Lucent

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Amazon

Updated:  April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/

Addendum

There are no additional comments at this time.

Apple Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Arch Linux

Updated:  April 15, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://bugs.archlinux.org/task/39775

Addendum

There are no additional comments at this time.

Aruba Networks, Inc.

Updated:  April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.arubanetworks.com/support/alerts/aid-040814.asc

Addendum

There are no additional comments at this time.

AT&T

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Attachmate

Updated:  April 29, 2014

Status

  Affected

Vendor Statement

Some Attachmate products with specific versions are affected by the CVE-2014-0160 OpenSSL 'Heartbleed' vulnerability when TLS protocol connections are used. All affected products now have either new versions or hot fixes available. Attachmate maintains the following technical note about affected and non-vulnerable versions: http://support.attachmate.com/techdocs/2724.html In addition, Security Updates technical notes are also available for specific products: Security Updates and Reflection for the Web or Reflection Security Gateway http://support.attachmate.com/techdocs/1704.html Security Updates and Reflection http://support.attachmate.com/techdocs/1708.html Security Updates and Reflection for Secure IT http://support.attachmate.com/techdocs/2288.html Security Updates and EXTRA! http://support.attachmate.com/techdocs/2501.html Security Updates and Reflection 2014 or Reflection 2011 http://support.attachmate.com/techdocs/2502.html Security Updates and INFOConnect http://support.attachmate.com/techdocs/2546.html Security Updates and Verastream http://support.attachmate.com/techdocs/2700.html

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.attachmate.com/techdocs/2724.html http://support.attachmate.com/techdocs/1704.html http://support.attachmate.com/techdocs/1708.html http://support.attachmate.com/techdocs/2288.html http://support.attachmate.com/techdocs/2501.html http://support.attachmate.com/techdocs/2502.html http://support.attachmate.com/techdocs/2546.html http://support.attachmate.com/techdocs/2700.html

Addendum

There are no additional comments at this time.

Avaya, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Barracuda Networks

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Bee Ware

Updated:  April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

i-Suite versions 5.4.0 and above, up to version 5.5.4, are vulnerable. Versions 5.2.8 and 5.3.x are not vulnerable.

Vendor References

http://documentation.bee-ware.net/display/SECU/CVE-2014-0160+-+OpenSSL+Heartblee d+Bug

Addendum

There are no additional comments at this time.

Belkin, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Blue Coat Systems

Notified:  April 08, 2014 Updated: April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://kb.bluecoat.com/index?page=content&id=SA79

Addendum

There are no additional comments at this time.

Brocade

Updated:  April 11, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

TECHNICAL SUPPORT BULLETIN April 10, 2014 TSB 2014-185-A SEVERITY: Low - Information PRODUCTS AFFECTED: All Brocade products, including Vyatta CORRECTED IN RELEASE: All current releases of Brocade products, including Vyatta BULLETIN OVERVIEW The purpose of this bulletin is to provide information regarding the recently disclosed vulnerability in the OpenSSL protocol documented by CVE-2014-0160 and also known as "The Heartbleed bug." This vulnerability takes advantage of the heartbeat extensions to the OpenSSL protocol (RFC6520). Brocade's family of IP products ADX, FCX, ICX, MLX, MLX-E, XMR CES, CER, RX, SX, VDX offering ServerIron, FastIron, NetIron, RX, Network OS, Brocade Network Advisor, Vyatta and vADX software and SAN products offering FOS software do not make use of the heartbeat extensions and hence are not vulnerable to the exploit documented in CVE-2014-0160. In addition, the MyBrocade.com web site does not use OpenSSL and is not vulnerable to this issue. PROBLEM STATEMENT The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 RISK ASSESSMENT There is no risk using Brocade products SYMPTOMS Not applicable. WORKAROUND No workaround is necessary. CORRECTIVE ACTION Not applicable.

Addendum

There are no additional comments at this time.

CA Technologies

Notified:  April 08, 2014 Updated: April 25, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={967F13F1-5720-4592-9BEB-42AD69EA14DC} https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={7EBD736F-0227-4AEB-A7A9-9C5A4EA449C3}

Addendum

There are no additional comments at this time.

Charlotte's Web Networks

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Check Point Software Technologies

Notified:  April 08, 2014 Updated: April 09, 2014

Statement Date:   April 08, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100173

Addendum

There are no additional comments at this time.

Cisco Systems, Inc.

Notified:  April 08, 2014 Updated: April 10, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

Addendum

There are no additional comments at this time.

Cray Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Debian GNU/Linux

Notified:  April 08, 2014 Updated: April 08, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.debian.org/security/2014/dsa-2896

Addendum

There are no additional comments at this time.

D-Link Systems, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

DragonFly BSD Project

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

EfficientIP

Updated:  April 09, 2014

Statement Date:   April 09, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Our system uses FreeBSD 9.2 as basis, and the OpenSSL version shipped with this version (0.9.8y) are stated not be affected.

Addendum

There are no additional comments at this time.

EMC Corporation

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Engarde Secure Linux

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Enterasys Networks

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Ericsson

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

eSoft, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Extreme Networks

Notified:  April 08, 2014 Updated: April 16, 2014

Status

  Affected

Vendor Statement

The following products and versions are affected by the VU#720951 OpenSSL vulnerability. ExtremeXOS version 15.4.1.x - A patch update for ExtremeXOS 15.4.1.3-patch1-10 or higher is available for download 64 bit (Ubuntu) NetSight Appliance version 4.4, 5.0, 5.1 and 6.0 - A patch update is currently available for 4.4, 5.0, 5.1 and 6.0 64 bit (Ubuntu) NAC Appliance version 5.0, 5.1 and 6.0 - A patch update is currently available for 5.0, 5.1 and 6.0. 64 bit (Ubuntu) Purview Appliance version 6.0 - A patch update is currently available. Note: Please contact the Extreme Networks Global Technical Assistance Center (GTAC) for access to the patch in the event not found on the Extreme Networks support site. Extreme Networks has also published the below advisory on its website. Please refer the same for additional information. http://learn.extremenetworks.com/rs/extreme/images/CERT_VU%23720951_Vulnerability_Advisory_04_11_2014v2.pdf

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://learn.extremenetworks.com/rs/extreme/images/CERT_VU%23720951_Vulnerability_Advisory_04_11_2014v2.pdf

Addendum

There are no additional comments at this time.

F5 Networks, Inc.

Notified:  April 08, 2014 Updated: April 09, 2014

Statement Date:   April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217

Addendum

There are no additional comments at this time.

Fedora Project

Notified:  April 08, 2014 Updated: April 08, 2014

Statement Date:   April 08, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://rhn.redhat.com/errata/RHSA-2014-0376.html

Addendum

There are no additional comments at this time.

Force10 Networks, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Fortinet, Inc.

Notified:  April 08, 2014 Updated: April 09, 2014

Statement Date:   April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We have determined that the following products are vulnerable: FortiGate (FortiOS) 5.0 and higher FortiAuthenticator 3.0 and higher FortiMail 5.0 and higher FortiVoice (all versions) FortiRecorder (all versions)

Vendor References

http://www.fortiguard.com/advisory/FG-IR-14-011/

Addendum

There are no additional comments at this time.

Foundry Networks, Inc.

Notified:  April 08, 2014 Updated: April 11, 2014

Statement Date:   April 09, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

No Brocade (Foundry) products are affected by this vulnerability,

Addendum

Foundry was purchased by Brocade.

FreeBSD Project

Notified:  April 08, 2014 Updated: April 09, 2014

Statement Date:   April 08, 2014

Status

  Affected

Vendor Statement

FreeBSD 10.0-RELEASE, 10.0-STABLE and 11.0-CURRENT have been patched for this issue (CVE-2014-0160/VU #720951), both in source and binary (via freebsd-update) forms. Earlier FreeBSD releases are not affected by this issue.

Vendor References

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc

Addendum

There are no additional comments at this time.

Fujitsu

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Gentoo Linux

Notified:  April 08, 2014 Updated: April 08, 2014

Statement Date:   April 08, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.gentoo.org/security/en/glsa/glsa-201404-07.xml

Addendum

There are no additional comments at this time.

Global Technology Associates, Inc.

Notified:  April 08, 2014 Updated: April 23, 2014

Statement Date:   April 23, 2014

Status

  Affected

Vendor Statement

We have determined that GTA firewalls running the following versions of GB-OS are vulnerable and should be upgraded to the indicated version. GB-OS version 6.1.0 to 6.1.5 are vulnerable and should upgrade to GB-OS 6.1.6 GB-OS version 6.0.0 to 6.0.7 are vulnerable and should upgrade to GB-OS 6.0.8 Customers using GTA firewalls with an unsupported version of GB-OS should upgrade to a currently supported version.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Google

Notified:  April 08, 2014 Updated: April 23, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html https://groups.google.com/forum/?_escaped_fragment_=topic/mod-spdy-discuss/EwCowyS1KTU#!topic/mod-spdy-discuss/EwCowyS1KTU

Addendum

mod_spdy is affected, as are some versions of the Google Search Appliance GSA 7.0.14.G.212 addresses this issue.

Hewlett-Packard Company

Notified:  April 08, 2014 Updated: May 02, 2014

Statement Date:   April 14, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://h17007.www1.hp.com/docs/advisories/HPNetworkingSecurityAdvisory-OpenSSL-HeartbleedVulnerability.pdf https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04236102 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04236062 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04239375 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04239372 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04240206 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04242672 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04239374 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04250814 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04248997 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04255796 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04260353 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04260456 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04260505 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04262472 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04262670 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04261644 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04239375

Addendum

There are no additional comments at this time.

Hitachi

Notified:  April 08, 2014 Updated: May 27, 2014

Statement Date:   April 16, 2014

Status

  Affected

Vendor Statement

Hitachi has published the below advisory on its website. Please refer the advisory for additional information. This advisory includes Hitachi products for Industrial Control Platform. HIRT-PUB14005: OpenSSL TLS heartbeat extension read overrun issue in Hitachi products (VU#720951, CVE-2014-0160) http://www.hitachi.com/hirt/publications/hirt-pub14005/index.html

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.hitachi.com/hirt/publications/hirt-pub14005/index.html

Addendum

There are no additional comments at this time.

IBM Corporation

Notified:  April 08, 2014 Updated: April 15, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://aix.software.ibm.com/aix/efixes/security/openssl_advisory7.doc http://www-01.ibm.com/support/docview.wss?&uid=swg21669774

Addendum

There are no additional comments at this time.

IBM Corporation (zseries)

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

IBM eServer

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Infoblox

Notified:  April 08, 2014 Updated: April 08, 2014

Statement Date:   April 08, 2014

Status

  Not Affected

Vendor Statement

Infoblox is not affected by this issue (in any released version).

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Intel Corporation

Notified:  April 08, 2014 Updated: April 15, 2014

Statement Date:   April 15, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00037&languageid=en-fr

Addendum

There are no additional comments at this time.

Internet Security Systems, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Intoto

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Juniper Networks, Inc.

Notified:  April 08, 2014 Updated: April 09, 2014

Statement Date:   April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://kb.juniper.net/JSA10623

Addendum

There are no additional comments at this time.

m0n0wall

Notified:  April 08, 2014 Updated: April 08, 2014

Statement Date:   April 08, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

m0n0wall is not affected (as it uses OpenSSL 0.9.8).

Addendum

There are no additional comments at this time.

Mandriva S. A.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

MarkLogic Corporation

Updated:  April 15, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Recently a serious security vulnerability was discovered in the OpenSSL cryptographic software library. MarkLogic application servers can be configured to use SSL, and MarkLogic uses OpenSSL to provide this capability. A patch to OpenSSL has been released to address this vulnerability, and MarkLogic has built patches for all impacted MarkLogic versions with OpenSSL 1.0.1g to incorporate this new fix. Impacted Versions The following versions of MarkLogic are impacted by this vulnerability: ·            MarkLogic 5.0-5 through 5.0-6 ·            All versions of MarkLogic 6.0 (6.0-1 through 6.0-5) ·            All versions of MarkLogic 7.0 (7.0-1 through 7.0-2.2), including the MarkLogic AMIs MarkLogic versions prior to 5.0-5 use an earlier version of OpenSSL that does not have this vulnerability. How to Patch We recommend that customers who are using SSL patch their systems immediately. To do this: 1.          Upgrade your cluster to the patch release, available at http://developer.marklogic.com/products. Patch release versions are as follows: o   MarkLogic 5.0-6.1 o   MarkLogic 6.0-5.1 o   MarkLogic 7.0-2.3 2.          Regenerate all SSL certificates for your cluster. This is necessary because the vulnerability is such that private keys for your certificates are potentially compromised. See “Configuring SSL on App Servers” in the documentation: o   MarkLogic 5 documentation: http://docs.marklogic.com/5.0/guide/admin/SSL#chapter o   MarkLogic 6 documentation: http://docs.marklogic.com/6.0/guide/admin/SSL#chapter o   MarkLogic 7 documentation: http://docs.marklogic.com/guide/admin/SSL#chapter 3.          If you are using BASIC or Application Level Authentication over SSL, have all your users change their passwords after you've patched and deployed new SSL certificates. This includes both internal users in our security database, and anyone using external authentication (which requires BASIC authentication over SSL). This is necessary because the vulnerability may have resulted in password leaks. If you have any questions about how to patch, feel free to contact support@marklogic.com. More information about the heartbleed vulnerability can be found at http://heartbleed.com or https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160.

Addendum

There are no additional comments at this time.

McAfee

Notified:  April 08, 2014 Updated: April 11, 2014

Statement Date:   April 11, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://kc.mcafee.com/corporate/index?page=content&id=SB10071

Addendum

There are no additional comments at this time.

Microsoft Corporation

Notified:  April 08, 2014 Updated: April 21, 2014

Statement Date:   April 21, 2014

Status

  Not Affected

Vendor Statement

Microsoft Services unaffected by OpenSSL “Heartbleed” vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx

Addendum

There are no additional comments at this time.

MontaVista Software, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

NEC Corporation

Notified:  April 08, 2014 Updated: April 30, 2014

Statement Date:   April 30, 2014

Status

  Unknown

Vendor Statement

We provide information on this issue at the following URL http://jpn.nec.com/security-info/av14-001.html (only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://jpn.nec.com/security-info/av14-001.html

Addendum

There are no additional comments at this time.

NetBSD

Notified:  April 08, 2014 Updated: April 08, 2014

Statement Date:   April 08, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

NetBSD is vulnerable (in the version 6 train, not in the version 5 train) pkgsrc is vulnerable (1.0.1 versions of OpenSSL packages below 1.0.1g, no surprises there)

Vendor References

http://mail-index.netbsd.org/security-announce/2014/04/08/msg000085.html

Addendum

There are no additional comments at this time.

netfilter

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

nginx

Updated:  April 11, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/

Addendum

nginx for Windows is statically linked with the OpenSSL library. We have confirmed that nginx versions 1.2.9 through 1.4.7 on Windows provide a vulnerable OpenSSL version. nginx 1.4.7, which was originally released on March 18, 2014, was silently repackaged with OpenSSL 1.0.1g on April 8, 2014. nginx 1.5.13 was officially released on April 8, 2014, and it also includes OpenSSL 1.0.1g, despite not specifically mentioning this vulnerability.

Nokia

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Novell, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

NVIDIA

Updated:  May 05, 2014

Statement Date:   May 05, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

http://nvidia.custhelp.com/app/answers/detail/a_id/3492

Addendum

There are no additional comments at this time.

OpenBSD

Notified:  April 08, 2014 Updated: April 08, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/002_openssl.patch.sig http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/007_openssl.patch http://ftp.openbsd.org/pub/OpenBSD/patches/5.3/common/014_openssl.patch

Addendum

There are no additional comments at this time.

Opengear

Updated:  April 15, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://opengear.zendesk.com/entries/51667116-CVE-2014-0160-aka-Heartbleed-Opengear-products-are-not-affected

Addendum

There are no additional comments at this time.

OpenSSL

Updated:  April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.openssl.org/news/secadv_20140407.txt

Addendum

There are no additional comments at this time.

openSUSE project

Updated:  April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html

Addendum

There are no additional comments at this time.

OpenVPN Technologies

Updated:  April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://community.openvpn.net/openvpn/wiki/heartbleed

Addendum

There are no additional comments at this time.

Openwall GNU/*/Linux

Notified:  April 08, 2014 Updated: April 09, 2014

Status

  Not Affected

Vendor Statement

Openwall GNU/*/Linux is not affected. The versions of OpenSSL that we redistribute do not contain the vulnerable code.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

Oracle Corporation

Notified:  April 08, 2014 Updated: April 16, 2014

Statement Date:   April 16, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

Addendum

There are no additional comments at this time.

Palo Alto Networks

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Peplink

Notified:  April 08, 2014 Updated: April 18, 2014

Statement Date:   April 08, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Peplink products are NOT affected by this vulnerability.

Vendor References

https://forum.peplink.com/threads/3062-Special-Notice-On-OpenSSL-Heartbleed-Vulnerability

Addendum

There are no additional comments at this time.

pfSENSE

Updated:  April 17, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://blog.pfsense.org/?p=1253

Addendum

There are no additional comments at this time.

Process Software

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Q1 Labs

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

QNX Software Systems Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Quagga

Notified:  April 08, 2014 Updated: April 07, 2014

Statement Date:   April 08, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Quagga is not affected by this vulnerability.

Addendum

There are no additional comments at this time.

Red Hat, Inc.

Notified:  April 08, 2014 Updated: April 08, 2014

Statement Date:   April 08, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://access.redhat.com/security/cve/CVE-2014-0160 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0160 https://rhn.redhat.com/errata/RHSA-2014-0376.html

Addendum

There are no additional comments at this time.

SafeNet

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Slackware Linux Inc.

Notified:  April 08, 2014 Updated: April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2014&m=slackware-security.533622

Addendum

There are no additional comments at this time.

SmoothWall

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Snort

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Sony Corporation

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Sophos, Inc.

Updated:  April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://blogs.sophos.com/2014/04/09/sophos-utm-manager-and-openssl-vulnerability/

Addendum

There are no additional comments at this time.

Sourcefire

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Stonesoft

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

SUSE Linux

Notified:  April 08, 2014 Updated: April 08, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html

Addendum

SUSE Enterprise Linux uses OpenSSL 0.9.x

Symantec

Notified:  April 08, 2014 Updated: May 13, 2016

Statement Date:   April 18, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.symantec.com/outbreak/?id=heartbleed http://www.symantec.com/content/en/us/enterprise/other_resources/b-symantec-product-list-heartbleed.pdf https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00

Addendum

CERT/CC has confirmed with Symantec that Symantec Messaging Gateway version 10.6.1 is vulnerable. Please see the most recent Symantec advisory (SYM16-007) above.

The SCO Group

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

TippingPoint Technologies Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Turbolinux

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Ubuntu

Notified:  April 08, 2014 Updated: April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.ubuntu.com/usn/usn-2165-1/ https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1304042

Addendum

Note that the version number reported by openssl does not reflect the patch level. To verify that the usn-2165-1 fixed versions are installed, run the following command dpkg -l openssl libssl* | cat and compare the reported version numbers with those listed in the advisory.

Unisys

Notified:  April 08, 2014 Updated: April 17, 2014

Statement Date:   April 17, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Heartbleed bug – Public and Client Communication Dear Unisys client, Unisys prides itself on ensuring the mission-critical operations of our clients – and the security of your systems is a priority for us. I am writing to let you know how we are addressing any risks related to the Heartbleed bug that has been reported in the news and to provide you with information that may help you address your own risks. Heartbleed is a software bug in the OpenSSL technology used to create a secure link over the Internet between a server and a computer asset such as a laptop or PC. The bug, which has existed for about two years but was only publicly disclosed last week, is believed to have affected a significant number of websites globally. Unisys has undertaken a comprehensive review of our servers, products, and client-owned servers under our management for risks associated with the Heartbleed bug. Here’s what you need to know: - We have not found any vulnerability in our public-facing Web servers. We continue to monitor the product advisories of our major vendors for any potential issues. - The vast majority of our released products, including MCP, OS 2200, Forward!, Stealth, and Choreographer, are not vulnerable to the Heartbleed bug. Two instances of potential vulnerabilities were found in add-on products; in those cases, we have done remediation efforts and notified clients. - The vast majority of client-owned servers under our management are not affected by the Heartbleed bug. For servers that may have been affected, we have notified the client and after consulting with the client, we are in the process of patching those servers, changing the server side certificates and instructing users to change their passwords. - Currently, only version 1.0.1 - 1.0.1f of the open-source SSL is affected. We have upgraded any client-owned servers under our management to version 1.0.1g. We recommend that you check the other servers that you manage. - Our Security Services team can help you in this process and can also perform a penetration test to determine if you are vulnerable and help you contain any resulting damage. We stand ready to assist you. Please contact your Unisys representative or service delivery manager to discuss your requirements or to order a penetration test. We appreciate your business. Unisys

Addendum

There are no additional comments at this time.

VMware

Notified:  April 08, 2014 Updated: April 22, 2014

Statement Date:   April 09, 2014

Status

  Affected

Vendor Statement

VMware has released product updates and patches for all affected products listed in VMware Knowledge Base article 2076225.

Vendor Information

VMware Security Advisory VMSA-2014-0004 lists the updated products and patch releases that address CVE-2014-0160 in VMware products and provides references to specific product documentation.

Vendor References

http://www.vmware.com/security/advisories/VMSA-2014-0004.html http://kb.vmware.com/kb/2076225

Addendum

There are no additional comments at this time.

Vyatta

Notified:  April 08, 2014 Updated: April 11, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

TECHNICAL SUPPORT BULLETIN April 10, 2014 TSB 2014-185-A SEVERITY: Low - Information PRODUCTS AFFECTED: All Brocade products, including Vyatta CORRECTED IN RELEASE: All current releases of Brocade products, including Vyatta BULLETIN OVERVIEW The purpose of this bulletin is to provide information regarding the recently disclosed vulnerability in the OpenSSL protocol documented by CVE-2014-0160 and also known as "The Heartbleed bug." This vulnerability takes advantage of the heartbeat extensions to the OpenSSL protocol (RFC6520). Brocade's family of IP products ADX, FCX, ICX, MLX, MLX-E, XMR CES, CER, RX, SX, VDX offering ServerIron, FastIron, NetIron, RX, Network OS, Brocade Network Advisor, Vyatta and vADX software and SAN products offering FOS software do not make use of the heartbeat extensions and hence are not vulnerable to the exploit documented in CVE-2014-0160. In addition, the MyBrocade.com web site does not use OpenSSL and is not vulnerable to this issue. PROBLEM STATEMENT The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 RISK ASSESSMENT There is no risk using Brocade products SYMPTOMS Not applicable. WORKAROUND No workaround is necessary. CORRECTIVE ACTION Not applicable.

Addendum

There are no additional comments at this time.

Watchguard Technologies, Inc.

Updated:  April 09, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://watchguardsecuritycenter.com/2014/04/08/the-heartbleed-openssl-vulnerability-patch-openssl-asap/

Addendum

There are no additional comments at this time.

Watchguard Technologies, Inc.

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

Wind River Systems, Inc.

Notified:  April 08, 2014 Updated: April 11, 2014

Statement Date:   April 08, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Wind River has investigated its products regarding the heart blead vulnerability. The conclusion is: VxWorks is not vulnerable. WR Linux 3.x and 4.x are not vulnerable. WR Linux 5.0.1.x is vulnerable if the optional openssl-1.0.1 package is installed. WR Linux 6.0.0.x is vulnerable. INP 3.4 is vulnerable. Wind River customers can find additional information, e.g. fixes, at the online support web site https://support.windriver.com/

Vendor References

https://support.windriver.com/

Addendum

There are no additional comments at this time.

WSO2

Updated:  April 15, 2014

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

On April 7th, a Security Advisory was issued by the OpenSSL project notifying the public of a serious vulnerability in the encryption software used by a majority of websites on the Internet. http://connect.wso2.com/wso2/c/secadv_20140407.txt?_lid=62396&_cid=77097&_t=859269 We want you to know that our servers were not exposed and your WSO2 account is completely safe. Nevertheless, to ensure there is no additional risk, we strongly encourage you to request a new password. http://connect.wso2.com/wso2/c/password?_lid=62397&_cid=77097&_t=859269 If you have any questions or concerns, please email security@wso2.com. For additional information regarding this vulnerability, please visit: http://connect.wso2.com/wso2/c/heartbleed.com?_lid=62398&_cid=77097&_t=859269

Addendum

There are no additional comments at this time.

ZyXEL

Notified:  April 08, 2014 Updated: April 07, 2014

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.