BugTraq
CA20140413-01: Security Notice for OpenSSL Heartbleed Vulnerability May 16 2014 02:25PM
Williams, James K (Ken Williams ca com)
CA20140413-01: Security Notice for OpenSSL Heartbleed Vulnerability

Issued: April 13, 2014

Updated: May 12, 2014

CA Technologies is investigating an OpenSSL vulnerability, referred to

as the "Heartbleed bug" that was publicly disclosed on April 7, 2014.

CVE identifier CVE-2014-0160 has been assigned to this vulnerability.

CA Technologies has confirmed that the majority of our product

portfolio is unaffected. There are, however, several products that

used vulnerable versions of OpenSSL 1.0.1 and consequently may be

affected. CA Technologies will update this security notice as

additional information becomes available.

Risk Rating

High

These products may be affected

CA ARCserve D2D for Windows 16.5

CA ARCserve D2D for Linux 16.5, 16.5SP1

CA ARCserve High Availability 16.5, 16.5SP1, 16.5SP2 (SP2 build less

than 3800)

CA ARCserve Replication 16.5, 16.5SP1, 16.5SP2 (SP2 build less than

3800)

CA ARCserve Unified Data Protection (Release Candidate)

CA ecoMeter 3.1.1, 3.1.2, 4.0.00, 4.0.01, 4.0.02, 4.1.00, 4.1.01,

4.2.00

CA eHealth 6.3.0.05 thru 6.3.2.04 (all platforms affected)

CA Layer 7 API Gateway 8.1 (installed but not used by default)

CA Layer 7 API Portal 2.6

CA Layer 7 Mobile Access Gateway 8.1 (installed but not used by

default)

CA Mobile Device Management 2014 Q1

CA XCOM Data Transport - Only the Windows 64-bit XCOM application is

affected.

Note: At this time, no other CA Technologies products have been

identified as potentially vulnerable.

Solution

CA ARCserve D2D for Windows 16.5:

Apply fix RO69431.

CA ARCserve D2D for Linux 16.5 and 16.5SP1:

Apply fix RO69417. Note that r16.5 SP1 is a prerequisite for this fix.

CA ARCserve High Availability 16.5, 16.5SP1, 16.5SP2 (SP2 build less

than 3800):

Apply Service Pack 2 (build 3800), which includes the fix for the

OpenSSL Heartbleed vulnerability: RI69547.

CA ARCserve Replication 16.5, 16.5SP1, 16.5SP2 (SP2 build less than

3800):

Apply Service Pack 2 (build 3800), which includes the fix for the

OpenSSL Heartbleed vulnerability: RI69547.

CA ARCserve Unified Data Protection (Release Candidate):

CA expects to provide a solution with the GA release on May 14, 2014

CA ecoMeter 3.1.1, 3.1.2:

These versions of CA ecoMeter use eHealth as the data collection

platform.

Apply the appropriate fix listed below. Important note: Do not apply

this patch to CA eHealth releases prior to 6.3.0.05 and/or systems

utilizing CAC. Customers who use eHealth with CAC should wait for

further notification as the testing for that configuration has not

been completed.

Windows: RO69554

Linux: RO69556

Solaris: RO69555

CA ecoMeter 4.0.00, 4.0.01, 4.0.02, 4.1.00, 4.1.01, 4.2.00:

These versions of CA ecoMeter use eHealth as the data collection

platform.

Apply the appropriate fix listed below. Important note: The current

CA eHealth / CA SiteMinder integration is not compatible with release

6.3.1.02 thru 6.3.2.04. Do not apply this patch to CA eHealth released

prior to 6.3.1.02 and/or system utilizing CAC. Customers who use

eHealth with CAC should wait for further notification as the testing

for that configuration has not been completed.

Windows: RO69442

Linux: RO69443

Solaris: RO69444

CA eHealth 6.3.0.05 - 6.3.1.01 (all platforms):

Apply the appropriate fix listed below. Important note: Do not apply

this patch to CA eHealth releases prior to 6.3.0.05 and/or systems

utilizing CAC. Customers who use eHealth with CAC should wait for

further notification as the testing for that configuration has not

been completed.

Windows: RO69554

Linux: RO69556

Solaris: RO69555

CA eHealth 6.3.1.02 - 6.3.2.04 (all platforms):

Apply the appropriate fix listed below. Important note: The current

CA eHealth / CA SiteMinder integration is not compatible with release

6.3.1.02 thru 6.3.2.04. Do not apply this patch to CA eHealth released

prior to 6.3.1.02 and/or system utilizing CAC. Customers who use

eHealth with CAC should wait for further notification as the testing

for that configuration has not been completed.

Windows: RO69442

Linux: RO69443

Solaris: RO69444

CA Layer 7 API Gateway 8.1:

Solution was delivered on April 10, 2014

Refer to the Layer 7 Technologies Support site for solution.

CA Layer 7 API Portal 2.6:

Solution was delivered on April 10, 2014

Refer to the Layer 7 Technologies Support site for solution.

CA Layer 7 Mobile Access Gateway 8.1:

Solution was delivered on April 10, 2014

Refer to the Layer 7 Technologies Support site for solution.

CA Mobile Device Management 2014 Q1:

Apply Hotfix 1: CA MDM 2014Q1 Hotfix 1

CA XCOM Data Transport (only Windows 64-bit platform is affected):

Solution RO69230 was published on April 11, 2014

Workaround

None

References

CVE-2014-0160 - OpenSSL Heartbleed vulnerability

Change History

v1.0: 2014-04-13, Initial Release

v1.1: 2014-04-14, Updated Layer 7 affected products and solution.

v1.2: 2014-04-14, Updated XCOM Data Transport affected product info.

v1.3: 2014-04-19, Modified affected versions for ARCserve D2D for

Windows, ARCserve High Availability, ARCserve Replication,

eHealth. Added ecoMeter to affected products. Modified solutions

for ARCserve D2D for Windows, ARCserve D2D for Linux, ARCserve

High Availability, ARCserve Replication, eHealth. Added ecoMeter

3.x and 4.x solution information. Added fixes for eHealth

6.3.1.02 â?? 6.3.2.04, and ecoMeter 4.x.

v1.4: 2014-04-24, Modified ARCserve RHA affected versions. Added

solutions for ARCserve D2D (Windows and Linux), ARCserve RHA,

ecoMeter, eHealth.

v1.5: 2014-05-12, Added fix for MDM. Fixes are now available for all

potentially affected CA products.

If additional information is required, please contact CA Technologies

Support at https://support.ca.com/ .

If you discover a vulnerability in CA Technologies products, please

report your findings to the CA Technologies Product Vulnerability

Response Team at vuln (at) ca (dot) com [email concealed] .

PGP key:

support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=177782

Security Notices

https://support.ca.com/irj/portal/anonymous/phpsbpldgpg

Regards,

Ken Williams

Director, Product Vulnerability Response Team

CA Technologies | One CA Plaza | Islandia, NY 11749 | www.ca.com

Ken.Williams (at) ca (dot) com [email concealed] | vuln (at) ca (dot) com [email concealed]

Copyright © 2014 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y.

11749. All other trademarks, trade names, service marks, and logos

referenced herein belong to their respective companies.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus