OpenSSL Heartbleed is a security vulnerability where an attacker can use a TLS heartbeat packet to reveal up to 64k of memory from the server's buffer. This information can include anything that would be stored in that section of memory including unencrypted usernames and passwords.
We have identified one component of the ITMS 7.5 product that is affected by this issue. That component is the Symantec Management Platform Agent for Unix, Linux and Mac 7.5.
In addition, depending on the Apache version being used, the Symantec Management Platform Package Server Agent for Linux can also be affected by this issue. No other components in the ITMS 7.5 Suite have been identified as having a vulnerability related to this OpenSSL exploit.
There have been no identified issues related to this exploit with regards to the Symantec Endpoint Management 7.0/7.1 suite of products.
For more information on the OpenSSL heartbeat vulnerability, please visit http://www.heartbleed.com
To resolve this issue in ITMS 7.5, the ULM agent component has been updated to the latest version of OpenSSL. The new agent for download with instructions can be found here. This issue is also resolved in ITMS 7.5 SP1 and can be upgraded using the Symantec Installation Manager (SIM) component.
Note: When using SSL, the ULM agent must also be configured to accept only trusted certificates of Notification Server and Site Servers.
Also, when running the Symantec Management Platform Package Server Agent for Linux, verify that the version of Apache is updated to avoid any potential issues. The Symantec Package Server Agent for Linux is wholly dependent on the Apache installation and does not install any OpenSSL components on its own. Therefore, affected versions of Apache should be updated independent of the Symantec environment.
Additional Information:
For a statement with regards to the ITMS 7.0/7.1 suite of products, see KB: TECH216654
For a statement on the Deployment Solution 6.9 product, see KB: TECH216631
For a statement on the Ghost Solution Suite product, see KB: TECH216638
For a statement on Workspace Streaming & Virtualization products, see KB: TECH216644