OpenSSL Vulnerability Check [CVE-2020-1971]


Article ID: 206948


Updated On:


Management Center - VA Management Center Management Center - VA


Is Management Center 3.x  affected by the OpenSSL vulnerability CVE-2020-1971


Release : MC v3.x

Component : Management Center 


Our investigation indicates that MC 3.x is vulnerable to CVE-2020-1971, but only when an authenticated administrator user does both of the following:
  1. installs a malicious certificate revocation list (CRL)
  2. configures MC to connect to a custom, non-Symantec SSL server, e.g. to download or upload files, and that server is configured with a malicious SSL server certificate
Customers can do the following to temporarily remediate this vulnerability:
  1. if importing CRLs into MC for certificate revocation, only import CRLs obtained in a secure manner from a trusted certificate authority (CA)
  2. if using custom SSL servers for MC to download files from or upload files to, configure the SSL servers only with SSL certificates generated in a trusted manner
A permanent fix for this CVE will also be provided in a future MC release.