OpenSSL Vulnerability Check [CVE-2020-1971]

book

Article ID: 206948

calendar_today

Updated On:

Products

Management Center - VA Management Center Management Center - VA

Issue/Introduction

Is Management Center 3.x  affected by the OpenSSL vulnerability CVE-2020-1971

Environment

Release : MC v3.x

Component : Management Center 

Resolution

Our investigation indicates that MC 3.x is vulnerable to CVE-2020-1971, but only when an authenticated administrator user does both of the following:
  1. installs a malicious certificate revocation list (CRL)
  2. configures MC to connect to a custom, non-Symantec SSL server, e.g. to download or upload files, and that server is configured with a malicious SSL server certificate
Customers can do the following to temporarily remediate this vulnerability:
  1. if importing CRLs into MC for certificate revocation, only import CRLs obtained in a secure manner from a trusted certificate authority (CA)
  2. if using custom SSL servers for MC to download files from or upload files to, configure the SSL servers only with SSL certificates generated in a trusted manner
A permanent fix for this CVE will also be provided in a future MC release.