Is the Symantec Protection Engine (SPE) affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

Close X

Please note that this document is a translation. It is possible that updates have been made to the original version after this document was translated and published. Symantec does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledgebase article for up to date information.

Article:TECH216502  |  Created: 2014-04-08  |  Updated: 2014-06-11  |  Article URL http://www.symantec.com/docs/TECH216502
Article Type
Technical Solution


Issue



You wish to know if the Symantec Protection Engine (SPE) is affected by the "heartbleed" OpenSSL bug (CVE-2014-0160) that allows highly sensitive material such as primary key information to be accessed illicitly via a defect in the implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).


Solution



The Symantec Protection Engine (SPE) is NOT AFFECTED by this vulnerability, as it does not use the TLS / DTLS functionality from OpenSSL; however, an optional patch is offered in this document, simply to exclude the specific OpenSSL version (1.0.1e) from the build. This patch is built with OpenSSL 1.0.1g, and after its application the product build number is SPE 7.5.0.36 (HF03).

IMPORTANT NOTE:
This proactive patch is purely OPTIONAL. SPE 7.5.0.34 is NOT AFFECTED by the HeartBleed vulnerability without this patch.

IMPORTANT NOTE2:
Previous Hotfix (HF02) was withdrawn to also update the OpenSSL components for the other SPE's auxiliary components such as Titanium, Lux, and Defutils (described in the ReadMe). If you have already applied HF02 (SPE7.5.0.35), that can be safely overwritten by this HF03, or you can directly update from SPE 7.5.0.34 (no patch). Note that both HF02 and HF03 are OPTIONAL and SPE IS NOT AFFECTED by the CVE-2014-0160 vulnerability without HF02/HF03.

 


Attachments

SPE7.5-HF03.zip (Windows, Solaris, and Linux) SHA1: 20bfc7ed75d9f8d45e3fdf14c8a2c5268f350a83
SPE7.5-HF03.zip (23.8 MBytes)
SPE7.5-HF03_ReadMe_first.txt
SPE7.5-HF03_ReadMe_first.txt (4 kBytes)


Supplemental Materials

SourceETrack
Value3481813
Description

Does OpenSSL CVE-2014-0160 ("Heartbleed") vulnerability impact on SPE 7.5.x?


SourceETrack
Value3484066

SourceETrack
Value3524155


Article URL http://www.symantec.com/docs/TECH216502


Terms of use for this information are found in Legal Notices