[j-nsp] SA SSL VPN vulnerable to Heartbleed?

Thomas Hafner th-juniper-nsp at square.de
Tue Apr 8 18:20:03 EDT 2014


Hi,

On 08.04.14 (16:51), David B Funk wrote:
% We have a SA4500 SSL VPN box with the JTAC recommended 7.4R8.0 release.

same here with MAG and SA series and 7.4R8.0

% Testing by tools such as "https://www.ssllabs.com/ssltest/" shows it to
% be vulnerable to the Heartbleed attack (http://heartbleed/).

I've tested with http://possible.lv/tools/hb/

7.4R8.0 is using openssl 1.0.1.f which is vulnerable

% Checking software downloads at juniper.net does not even seem to
% have an alert for this problem, let alone a fix.
% 
% Does Juniper have a clue about this?

yes, their security incident team is working on this

I've also got confirmation that 7.4R1 and above is vulnerable

other statement I've got so far

"Juniper SIRT is fully aware of the vulnerability and Engineering
is working on fixes for affected releases of Junos OS and IVE OS.
Juniper will be providing an out-of-cycle Security Advisory on this
issue very soon."

will be published here:

http://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES&actp=LIST_RECENT&smlogin=true

cheers, Tom

-- 
Wer sich zuviel mit kleinen Dingen abgibt,
wird gewoehnlich unfaehig zu grossen.              Rochefoucauld


More information about the juniper-nsp mailing list