[j-nsp] SA SSL VPN vulnerable to Heartbleed?
Thomas Hafner
th-juniper-nsp at square.de
Tue Apr 8 18:20:03 EDT 2014
Hi,
On 08.04.14 (16:51), David B Funk wrote:
% We have a SA4500 SSL VPN box with the JTAC recommended 7.4R8.0 release.
same here with MAG and SA series and 7.4R8.0
% Testing by tools such as "https://www.ssllabs.com/ssltest/" shows it to
% be vulnerable to the Heartbleed attack (http://heartbleed/).
I've tested with http://possible.lv/tools/hb/
7.4R8.0 is using openssl 1.0.1.f which is vulnerable
% Checking software downloads at juniper.net does not even seem to
% have an alert for this problem, let alone a fix.
%
% Does Juniper have a clue about this?
yes, their security incident team is working on this
I've also got confirmation that 7.4R1 and above is vulnerable
other statement I've got so far
"Juniper SIRT is fully aware of the vulnerability and Engineering
is working on fixes for affected releases of Junos OS and IVE OS.
Juniper will be providing an out-of-cycle Security Advisory on this
issue very soon."
will be published here:
http://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES&actp=LIST_RECENT&smlogin=true
cheers, Tom
--
Wer sich zuviel mit kleinen Dingen abgibt,
wird gewoehnlich unfaehig zu grossen. Rochefoucauld
More information about the juniper-nsp
mailing list