Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0765 CA20140413-01: Security Notice for OpenSSL Heartbleed Vulnerability 20 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CA ARCservce products CA ecoMeter CA eHealth CA Layer 7 API Gateway CA Layer 7 API Portal CA Layer 7 Mobile Access Gateway 8.1 CA Mobile Device Management CA XCOM Data Transport Publisher: CA Operating System: Windows Linux variants Network Appliance Solaris Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0160 Reference: ESB-2014.0650 ESB-2014.0644.2 ESB-2014.0643 ESB-2014.0642 ESB-2014.0641 ESB-2014.0640.2 ESB-2014.0466 ESB-2014.0461 ESB-2014.0458.2 ESB-2014.0457 - --------------------------BEGIN INCLUDED TEXT-------------------- CA20140413-01: Security Notice for OpenSSL Heartbleed Vulnerability Issued: April 13, 2014 Updated: May 12, 2014 CA Technologies is investigating an OpenSSL vulnerability, referred to as the "Heartbleed bug" that was publicly disclosed on April 7, 2014. CVE identifier CVE-2014-0160 has been assigned to this vulnerability. CA Technologies has confirmed that the majority of our product portfolio is unaffected. There are, however, several products that used vulnerable versions of OpenSSL 1.0.1 and consequently may be affected. CA Technologies will update this security notice as additional information becomes available. Risk Rating High These products may be affected CA ARCserve D2D for Windows 16.5 CA ARCserve D2D for Linux 16.5, 16.5SP1 CA ARCserve High Availability 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800) CA ARCserve Replication 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800) CA ARCserve Unified Data Protection (Release Candidate) CA ecoMeter 3.1.1, 3.1.2, 4.0.00, 4.0.01, 4.0.02, 4.1.00, 4.1.01, 4.2.00 CA eHealth 6.3.0.05 thru 6.3.2.04 (all platforms affected) CA Layer 7 API Gateway 8.1 (installed but not used by default) CA Layer 7 API Portal 2.6 CA Layer 7 Mobile Access Gateway 8.1 (installed but not used by default) CA Mobile Device Management 2014 Q1 CA XCOM Data Transport - Only the Windows 64-bit XCOM application is affected. Note: At this time, no other CA Technologies products have been identified as potentially vulnerable. Solution CA ARCserve D2D for Windows 16.5: Apply fix RO69431. CA ARCserve D2D for Linux 16.5 and 16.5SP1: Apply fix RO69417. Note that r16.5 SP1 is a prerequisite for this fix. CA ARCserve High Availability 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800): Apply Service Pack 2 (build 3800), which includes the fix for the OpenSSL Heartbleed vulnerability: RI69547. CA ARCserve Replication 16.5, 16.5SP1, 16.5SP2 (SP2 build less than 3800): Apply Service Pack 2 (build 3800), which includes the fix for the OpenSSL Heartbleed vulnerability: RI69547. CA ARCserve Unified Data Protection (Release Candidate): CA expects to provide a solution with the GA release on May 14, 2014 CA ecoMeter 3.1.1, 3.1.2: These versions of CA ecoMeter use eHealth as the data collection platform. Apply the appropriate fix listed below. Important note: Do not apply this patch to CA eHealth releases prior to 6.3.0.05 and/or systems utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69554 Linux: RO69556 Solaris: RO69555 CA ecoMeter 4.0.00, 4.0.01, 4.0.02, 4.1.00, 4.1.01, 4.2.00: These versions of CA ecoMeter use eHealth as the data collection platform. Apply the appropriate fix listed below. Important note: The current CA eHealth / CA SiteMinder integration is not compatible with release 6.3.1.02 thru 6.3.2.04. Do not apply this patch to CA eHealth released prior to 6.3.1.02 and/or system utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69442 Linux: RO69443 Solaris: RO69444 CA eHealth 6.3.0.05 - 6.3.1.01 (all platforms): Apply the appropriate fix listed below. Important note: Do not apply this patch to CA eHealth releases prior to 6.3.0.05 and/or systems utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69554 Linux: RO69556 Solaris: RO69555 CA eHealth 6.3.1.02 - 6.3.2.04 (all platforms): Apply the appropriate fix listed below. Important note: The current CA eHealth / CA SiteMinder integration is not compatible with release 6.3.1.02 thru 6.3.2.04. Do not apply this patch to CA eHealth released prior to 6.3.1.02 and/or system utilizing CAC. Customers who use eHealth with CAC should wait for further notification as the testing for that configuration has not been completed. Windows: RO69442 Linux: RO69443 Solaris: RO69444 CA Layer 7 API Gateway 8.1: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Layer 7 API Portal 2.6: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Layer 7 Mobile Access Gateway 8.1: Solution was delivered on April 10, 2014 Refer to the Layer 7 Technologies Support site for solution. CA Mobile Device Management 2014 Q1: Apply Hotfix 1: CA MDM 2014Q1 Hotfix 1 CA XCOM Data Transport (only Windows 64-bit platform is affected): Solution RO69230 was published on April 11, 2014 Workaround None References CVE-2014-0160 - OpenSSL Heartbleed vulnerability Change History v1.0: 2014-04-13, Initial Release v1.1: 2014-04-14, Updated Layer 7 affected products and solution. v1.2: 2014-04-14, Updated XCOM Data Transport affected product info. v1.3: 2014-04-19, Modified affected versions for ARCserve D2D for Windows, ARCserve High Availability, ARCserve Replication, eHealth. Added ecoMeter to affected products. Modified solutions for ARCserve D2D for Windows, ARCserve D2D for Linux, ARCserve High Availability, ARCserve Replication, eHealth. Added ecoMeter 3.x and 4.x solution information. Added fixes for eHealth 6.3.1.02 - 6.3.2.04, and ecoMeter 4.x. v1.4: 2014-04-24, Modified ARCserve RHA affected versions. Added solutions for ARCserve D2D (Windows and Linux), ARCserve RHA, ecoMeter, eHealth. v1.5: 2014-05-12, Added fix for MDM. Fixes are now available for all potentially affected CA products. If additional information is required, please contact CA Technologies Support at https://support.ca.com/ . If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team at vuln@ca.com . PGP key: support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782 Security Notices https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Ken Williams Director, Product Vulnerability Response Team CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com Ken.Williams@ca.com | vuln@ca.com Copyright 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU3rfUBLndAQH1ShLAQJGnQ//dKY/kzpxUiuqdkyyMrdhPLBm2ayxFEZR 2LbHGZnfIXDXcsy9fDdwEahgbZyvAsbuSG3cQ/CEHI1HLaOZtyfIvykDn113MIGO w1p+uOVDUWwPBlsuqLaHUWPUpkakykCUzfawwnjGJ1q9S+Ro+ZpglnetQETigq8k MOlKsVtD1dEogudYH53i6Myy4WPbxev5fRucx1D3HXRw0HJbghrfHhRVncSSto0n TfODw4xIOk9X01p7WtEJKIH1A21RfFLMS7kqlSEQkd01fRrXnon/1Vgs5xGK/QcS UYRxmoD98CRmplX/k70nPr8vifDO8Zfln1G30VMdFxWcoxVlEDWHs+vDMKnTwQcX WYtPfWfVrTc+PJbloilC6yU38KLD6WCJjvS7WBe2sD21wqYaAse86Z1j/qV7A5w+ 4KYh9EwIaiy6muH3+aJCsj5mDFw2vayM3sDSMwOMmWA62bxV+cKDNlRYI2vZEx1l mYPvEPZlK4d5+sD9ZdJvbZCZ6D2J5YU6YiyHQLjF/c25qbAyeS5sv2gRiE9n25nc e9NgiFJiOhGLlpLkjHGqaLORl2IxcOk/j/HoUEU394RR60RG15Kcpl/EMjD6ct0X mLsrPr08p84IJ6DsEFvKO89R7gYOjRti4vMbsy3bWMlCrCwWTLi+BkBufpbXul0e YxjrhYJh6WA= =p9le -----END PGP SIGNATURE-----