OpenSSL vulnerability CVE-2014-0224

 

This article addresses the impact of OpenSSL vulnerabilities reported June 5th 2014 on Aspera products.

 

Reference:  OpenSSL adivsory:  http://www.openssl.org/news/secadv_20140605.txt

 

Summary:

 CVE-2014-0224    - some products affected (detailed below)

 CVE-2014-0221    - not affected

 CVE-2014-0195    - not affected

 CVE-2014-0198    - not affected

 CVE-2014-0198    - not affected

 CVE-2014-0198    - not affected

 

Version vulnerabilities for CVE-2014-0224:

 SSL servers vulnerable:  1.0.1 and 1.0.2 beta   -- fixed by OpenSSL 1.0.1h

 SSL clients vulnerable:  0.9.8  1.0.1  1.0.2 beta IF used with a vulnerable server

 

Products affected by CVE-2014-0224

 

Product

Version / Coverage

Remediation

Enterprise Server

Connect Server

Point to Point

Client

All versions:


Server side -- not affected

Client side -- affected when communicating to a vulnerable server (shares, external authorization)



Upgrade to ES/CS/P2P/Client version 3.4.6.


Available June 19th


Notes:


As a precaution, Aspera upgraded these products to OpenSSL 1.0.1h


Advisory: Connect Server on Unix uses the system-installed Apache server.  We advise customers apply OS security patches as soon as available.

Sync

Proxy

All versions:  Not affected

No remediation necessary

Connect

All versions:  Not affected

No remediation necessary

Cargo

Drive

All versions:


Affected when communicating to a vulnerable server (faspex, shares)

Upgrade to Cargo  1.2.1 and Drive 1.0.1


Available July 4th


Notes:

Aspera upgraded these products to OpenSSL 1.0.1h

Faspex

All versions, Linux:


Affected when communicating to a vulnerable server and when a vulnerable client communicates with it.


All versions, Windows:


Affected when communicating to a vulnerable server and when a vulnerable client communicates with it.

Upgrade to Faspex 3.7.8 (Linux/Windows) and Common 1.1.17 (Linux only).


Available June 30th


Notes:

Ruby and Apache has been rebuilt against OpenSSL 1.0.1h.  Upgrade to Faspex 3.7.8 (Linux/Windows) and Common 1.1.17 (Linux only).

Shares

All versions, Linux:


Affected when communicating to a vulnerable server and when a vulnerable client communicates with it.


All versions, Windows:


Affected when communicating to a vulnerable server and when a vulnerable client communicates with it.

Upgrade to Shares 1.7.6 (Linux/Windows).


Available June 30th


Notes:

Ruby and Nginx has been rebuilt against OpenSSL 1.0.1h.    Upgrade to Shares 1.7.6 (Linux/Windows).

Console

Orchestrator

All versions, Linux:


Affected when communicating to a vulnerable server and when a vulnerable client communicates with it.


All versions, Windows:


Affected when communicating to a vulnerable server and when a vulnerable client communicates with it.

Upgrade to Console 2.3.2 (Linux/Windows) and Common 1.2.10 (Linux only).


Available June 30th


Notes:

Ruby and Apache has been rebuilt against OpenSSL 1.0.1h.  Upgrade to Console 2.3.2 (Linux/Windows) and Common 1.2.10 (Linux only).

Outlook Plugin

All versions:  Not affected

No remediation necessary

Multicast

All versions:  Not affected

No remediation necessary

Mobile Uploader

All versions:  Not affected

No remediation necessary

Mobile iOS Faspex

All versions:


Affected when communicating to a vulnerable server (faspex)

Upgrade to iOS Faspex - version to be announced.


Available July 4th


Notes:

Upgraded to OpenSSL 1.0.1h

Mobile Android Client

Mobile Android Faspex

All versions:


Potentially affected: based on installed system openssl version.

Customers advised to upgrade Android version if affected

Mobile iOS SDK

All versions:  Not affected

No remediation necessary

Mobile Android SDK

All versions:  Not affected

No remediation necessary



Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk