Is Symantec Mail Security for Microsoft Exchange affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)

Article:TECH216522  |  Created: 2014-04-09  |  Updated: 2014-04-25  |  Article URL http://www.symantec.com/docs/TECH216522
Article Type
Technical Solution


Issue



You wish to know if the Symantec Mail Security for Microsoft Exchange (SMSMSE) is affected by the "heartbleed" OpenSSL bug (CVE-2014-0160) that allows highly sensitive material such as primary key information to be accessed illicitly via a defect in the implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).

 

Solution



The SMSMSE is NOT AFFECTED by this vulnerability, as it does not use the TLS / DTLS functionality from OpenSSL. However, an optional patch is offered, simply to exclude the specific OpenSSL version (1.0.1e) from the build. This patch is built with OpenSSL 1.0.1g.

IMPORTANT NOTE:

 

This proactive patch is purely OPTIONAL. SMSMSE 7.5.0.56 is NOT AFFECTED by the HeartBleed vulnerability without this patch.


Attachments

SMSMSE Open SSL HF
SMSMSE_75_patch.zip (2.4 MBytes)
Please read before applying the patch
ReadMe.docx (17 kBytes)




Article URL http://www.symantec.com/docs/TECH216522


Terms of use for this information are found in Legal Notices