Symantec Endpoint Management ITMS 7.5 Heartbleed Vulnerability Statement

book

Article ID: 159178

calendar_today

Updated On:

Products

Endpoint Encryption Management Platform (Formerly known as Notification Server) Notification Server Agent for Unix/Linux (Altiris)

Issue/Introduction

OpenSSL Heartbleed is a security vulnerability where an attacker can use a TLS heartbeat packet to reveal up to 64k of memory from the server's buffer. This information can include anything that would be stored in that section of memory including unencrypted usernames and passwords.

We have identified one component of the ITMS 7.5 product that is affected by this issue.  That component is the Symantec Management Platform Agent for Unix, Linux and Mac 7.5.  
In addition, depending on the Apache version being used, the Symantec Management Platform Package Server Agent for Linux can also be affected by this issue.  No other components in the ITMS 7.5 Suite have been identified as having a vulnerability related to this OpenSSL exploit. 

There have been no identified issues related to this exploit with regards to the Symantec Endpoint Management 7.0/7.1 suite of products.

Cause

 For more information on the OpenSSL heartbeat vulnerability, please visit http://www.heartbleed.com

Resolution

To resolve this issue in ITMS 7.5, the ULM agent component has been updated to the latest version of OpenSSL.  The new agent for download with instructions can be found here.  This issue is also resolved in ITMS 7.5 SP1 and can be upgraded using the Symantec Installation Manager (SIM) component.

Note: When using SSL, the ULM agent must also be configured to accept only trusted certificates of Notification Server and Site Servers.

Also, when running the Symantec Management Platform Package Server Agent for Linux, verify that the version of Apache is updated to avoid any potential issues. The Symantec Package Server Agent for Linux is wholly dependent on the Apache installation and does not install any OpenSSL components on its own. Therefore, affected versions of Apache should be updated independent of the Symantec environment. 

Additional Information:

  • For a statement with regards to the ITMS 7.0/7.1 suite of products, see KB: TECH216654

  • For a statement on the Deployment Solution 6.9 product, see KB: TECH216631

  • For a statement on the Ghost Solution Suite product, see KB: TECH216638

  • For a statement on Workspace Streaming & Virtualization products, see KB: TECH216644