Due to vulnerabilities found CEM Gateway OpenSSL component has been upgraded to version 1.0.1u

Article Id: 184236
Status: Published
Updated On: 06-02-2020 11:18
Legacy Id: TECH235068
Products:
Management Platform (Formerly known as Notification Server)
Issue/Introduction:

Due to vulnerabilities found CEM Gateway OpenSSL component has been upgraded to version 1.0.1u

 

Cause:

Known vulnabilities in pre-1.0.1u version of OpenSSL.

https://isc.sans.edu/forums/diary/OpenSSL+Updates/21015/
http://www.zdnet.com/article/two-highly-dangerous-openssl-security-bugs-have-been-patched/
http://www.swingleton.com/blog/2014/04/patching-openssl-on-windows-running-apache-fixing-the-heartbleed-bug/
https://www.openssl.org/news/secadv/20160922.txt 

 

Resolution:

These vulnerabilities have been reported to Symantec Development team.

A fixed version of gateway including latest OpenSSL 1.0.1u version has been created and added to later releases.

These include post 7.6 HF7 >  see attached "Gateway_POST_7.6_HF7_v1.zip" file for the actual pointfix.

Latest 8.0 version of gateway has following versions post 8.0 HF1 (1.0.1t), 8.0 HF4 (1.0.1u).

For changes done under the ULM agent version in SMP 7.5 SP1 HF5 regarding OpenSSL 1.0.1t, please refer to the attached "Pointfix_eTrack3947448_7.5_SP1_HF5_ULM.zip". ReadMe doc is included in the Zip file.

Note: So far no requests were made for 1.0.1u version to be added for 7.5 SP1 HF5, hence 7.6 and 8.0 latest versions were upgraded only. 

 

REQUIREMENT

SMP 7.6 or higher

HOW TO INSTALL THIS POINTFIX

  1. Retrieve files from the archive to the NS hard drive.
  2. Run as administrator PFinstaller.EXE, click on ‘Install’ button
  3. Deploy new MSI from \\localhost\NSCap\bin\Win64\X64\SMP Internet Gateway\ to the actual gateway machine
  4. Double click on SMP_Internet_Gateway.msi and proceed installation steps

 

CHANGES MADE

  • OpenSSL component was upgraded

 

QA PERFORMED

Tested PF on CEM Gateway 7.6 in following scenarios:

  • Verified vulnerable OpenSSL version
  • Verified point fix installation on NS
  • Verified that upgraded MSI is installable over running CEM Gateway
  • Verified that OpenSSL component version changed to 1.0.1t
  • Verified that CEM SMA-s connectivity to NS was not affected
  • Verified that CEM SMA-s are able to send basic inventory and receive tasks
  • Verified that CEM SMA-s are able to get package delivery via new Gateway