Symantec Endpoint Management ITMS 7.0/7.1 Heartbleed Vulnerability Statement

book

Article ID: 159183

calendar_today

Updated On:

Products

Endpoint Encryption Management Platform (Formerly known as Notification Server)

Issue/Introduction

OpenSSL Heartbleed is a security vulnerability where an attacker can use a TLS heartbeat packet to reveal up to 64k of Memory from the server's buffer.  This information can include anything that would be stored in that section of memory including any unencrypted usernames and passwords.

We have identified no issues with the Symantec Endpoint Management ITMS 7.0/7.1 suite of products in relation to this exploit.  However, we have identified an issue with this exploit in the ITMS 7.5 suite of products.

For more information in regards to the OpenSSL Heartbeat exploit in the Symantec Endpoint Management ITMS 7.5 product, please see TECH216635

Cause

For more information on the OpenSSL heartbeat vulnerability, please visit http://www.heartbleed.com

Resolution

Although there are no code vulnerabilities in the Symantec Endpoint Management ITMS 7.0/7.1 product, it is still important to update all Apache Web Servers OpenSSL libraries based on instructions given by OS vendors.

When running the Symantec Management Platform Package Server Agent for Linux, please verify that the version of Apache is updated to avoid any potential issues.  The Symantec Package Server Agent is wholly dependent on the Apache installation and does not install any OpenSSL components on its own.  Therefore, affected versions of Apache should be updated independent of the Symantec environment.