Due to vulnerabilities found CEM Gateway OpenSSL component has been upgraded to version 1.0.1u

book

Article ID: 184236

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

Due to vulnerabilities found CEM Gateway OpenSSL component has been upgraded to version 1.0.1u

 

Cause

Known vulnabilities in pre-1.0.1u version of OpenSSL.

https://isc.sans.edu/forums/diary/OpenSSL+Updates/21015/
http://www.zdnet.com/article/two-highly-dangerous-openssl-security-bugs-have-been-patched/
http://www.swingleton.com/blog/2014/04/patching-openssl-on-windows-running-apache-fixing-the-heartbleed-bug/
https://www.openssl.org/news/secadv/20160922.txt 

 

Resolution

These vulnerabilities have been reported to Symantec Development team.

A fixed version of gateway including latest OpenSSL 1.0.1u version has been created and added to later releases.

These include post 7.6 HF7 >  see attached "Gateway_POST_7.6_HF7_v1.zip" file for the actual pointfix.

Latest 8.0 version of gateway has following versions post 8.0 HF1 (1.0.1t), 8.0 HF4 (1.0.1u).

For changes done under the ULM agent version in SMP 7.5 SP1 HF5 regarding OpenSSL 1.0.1t, please refer to the attached "Pointfix_eTrack3947448_7.5_SP1_HF5_ULM.zip". ReadMe doc is included in the Zip file.

Note: So far no requests were made for 1.0.1u version to be added for 7.5 SP1 HF5, hence 7.6 and 8.0 latest versions were upgraded only. 

 

REQUIREMENT

SMP 7.6 or higher

HOW TO INSTALL THIS POINTFIX

  1. Retrieve files from the archive to the NS hard drive.
  2. Run as administrator PFinstaller.EXE, click on ‘Install’ button
  3. Deploy new MSI from \\localhost\NSCap\bin\Win64\X64\SMP Internet Gateway\ to the actual gateway machine
  4. Double click on SMP_Internet_Gateway.msi and proceed installation steps

 

CHANGES MADE

  • OpenSSL component was upgraded

 

QA PERFORMED

Tested PF on CEM Gateway 7.6 in following scenarios:

  • Verified vulnerable OpenSSL version
  • Verified point fix installation on NS
  • Verified that upgraded MSI is installable over running CEM Gateway
  • Verified that OpenSSL component version changed to 1.0.1t
  • Verified that CEM SMA-s connectivity to NS was not affected
  • Verified that CEM SMA-s are able to send basic inventory and receive tasks
  • Verified that CEM SMA-s are able to get package delivery via new Gateway