- Community Home
- >
- Servers and Operating Systems
- >
- HPE BladeSystem
- >
- BladeSystem - General
- >
- Virtual Connect (VC) 4.20B / OpenSSL CVE-2014-0224...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2014 06:07 AM
09-05-2014 06:07 AM
Virtual Connect (VC) 4.20B / OpenSSL CVE-2014-0224 vulnerability => VC 4.30
Some discussion regarding the OpenSSL security vulnerability from Dennis working with a customer:
************
A customer asked me advise on whether they should update to VC 4.30.
He received a HP Alert e-mail stating this to be a critical security bulletin (this while the VC download site mentions 4.30 as recommended …)
I was looking for some more detailed info on when this vulnerability regarding VC could occur.
I actually can’t find that much information on this specifically for VC ! (nothing in the release notes nor the driver download page !)
The advisory (c04392919) is also not very clear on this.
As I understand, VC is only impacted when customer uses VC(E)M using exotic browsers that use OpenSSL (which ones are those OR maybe easier, which ones do not use OpenSSL) ?
I just would have expected a bit more detailed info on this.
Many thanks in advance.
************
Input from Fred:
*************
Hello Dennis,
VC 4.30 contains the fix for this vulnerability. No version of VC contains the OpenSSL server vulnerability mentioned in the CVE.
Pre-4.30 versions of VC are vulnerable as OpenSSL clients if communicating with a vulnerable OpenSSL server. VCM OpenSSL client sessions to LDAP servers are a negligible risk as Microsoft AD LDAP server is not vulnerable and is the prevalent LDAP server used with VC.
When upgrading to VC 4.30, keep this CA in mind http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04422904 and use VCSU 1.10.1 for the upgrade.
**********
Reply from Dennis:
************
Fred : thanks for your input.
Given Fred’s information I am still not feeling comfortable in deciding whether it is necessary for my customer to upgrade to VC 4.30 or not.
Coming back to the remark of Vincent on the browsers, customer uses IE 8.0 and Chrome 35.0.1916.153 m.
Not sure these are the only SW/things to look at ? ….. but for those I assume they don’t use OpenSSL ?
Can someone confirm this and//or provide any additional information to look for, in deciding for the need of VC 4.30 ?
Many thanks in advance.
*************
From Vincent:
***************
Dennis,
Fred said "No version of VC contains the OpenSSL server vulnerability mentioned in the CVE ". That means when you're connecting to VCM with a Web browser (when VCM acts as a SSL server), you are NOT vulnerable, regardless of the browser using OpenSSL or not (and none of the browsers you mention do, the only somewhat common browser that uses OpenSSL is Chrome on Android devices, but again this is irrelevant here).
It's only when VC acts as SSL *client*, typically to an LDAP server, that versions < 4.30 are potentially vulnerable if the other end is vulnerable too. So if your customer doesn't use an external directory, or even if they do and that directory is Microsoft AD and not OpenLDAP, they're not exposed either.
Clearer ?
************
Reply from Dennis:
************
Vincent / Fred, thanks. That will do it for me.
*************
Comments?
- Tags:
- OpenSSL