[j-nsp] SA SSL VPN vulnerable to Heartbleed?
Andy Litzinger
Andy.Litzinger at theplatform.com
Tue Apr 8 18:55:59 EDT 2014
Sounds like an advisory is coming today:
"The Juniper SIRT is fully aware of the vulnerability and Engineering is working on fixes for affected releases of Junos OS and IVE OS. Juniper will be providing an out-of-cycle advisory (JSA) on this issue later today (April 8th, 2014). Junos OS 13.3 and above use OpenSSL 1.0.1 which is affected by this vulnerability, while earlier versions use OpenSSL 0.9.8 and are unaffected by this vulnerability. SA 7.4r1 and UAC 4.4r1 are also confirmed as vulnerable, since they use OpenSSL 1.0.1. PR 981102 has been submitted for Junos to upgrade OpenSSL to 1.0.1g, and PR 981148 has been submitted for IVE OS to disable TLS heartbeat.
SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable"
> On Apr 8, 2014, at 3:41 PM, "Andy Litzinger" <Andy.Litzinger at theplatform.com> wrote:
>
> I opened a JTAC case for the same issue. JTAC said their security team is
> aware of the CVE and they are waiting for fix/recommendation.
>
> -andy
>
>> On 4/8/14 2:51 PM, "David B Funk" <dbfunk at engineering.uiowa.edu> wrote:
>>
>> We have a SA4500 SSL VPN box with the JTAC recommended 7.4R8.0 release.
>> Testing by tools such as "https://www.ssllabs.com/ssltest/" shows it to
>> be vulnerable to the Heartbleed attack (http://heartbleed/).
>>
>> Checking software downloads at juniper.net does not even seem to
>> have an alert for this problem, let alone a fix.
>>
>> Does Juniper have a clue about this?
>> Is anybody else worried?
>>
>> --
>> Dave Funk University of Iowa
>> <dbfunk (at) engineering.uiowa.edu> College of Engineering
>> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
>> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
>> #include <std_disclaimer.h>
>> Better is not better, 'standard' is better. B{
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list