HPE Community
BladeSystem - General
1753894 Members
7799 Online
108809 Solutions
New Discussion

Virtual Connect (VC) 4.20B / OpenSSL CVE-2014-0224 vulnerability => VC 4.30

 
chuckk281
Trusted Contributor

‎09-05-2014 06:07 AM

‎09-05-2014 06:07 AM

Virtual Connect (VC) 4.20B / OpenSSL CVE-2014-0224 vulnerability => VC 4.30

Some discussion regarding the OpenSSL security vulnerability from Dennis working with a customer:

 

************

 

A customer asked me advise on whether they should update to VC 4.30.

He received a HP Alert e-mail stating this to be a critical security bulletin (this while the VC download site mentions 4.30 as recommended …)

 

I was looking for some more detailed info on when this vulnerability regarding VC could occur.

I actually can’t find that much information on this specifically for VC !  (nothing in the release notes nor the driver download page !)

The advisory (c04392919) is also not very clear on this.

 

As I understand, VC is only impacted when customer uses VC(E)M using exotic browsers that use OpenSSL (which ones are those OR maybe easier, which ones do not use OpenSSL) ?

 

I just would have expected a bit more detailed info on this.

 

Many thanks in advance.

 

************

 

Input from Fred:

 

*************

 

Hello Dennis,

VC 4.30 contains the fix for this vulnerability. No version of VC contains the OpenSSL server vulnerability mentioned in the CVE.

 

Pre-4.30 versions of VC are vulnerable as OpenSSL clients if communicating with a vulnerable OpenSSL server. VCM OpenSSL client sessions to LDAP servers are a negligible risk as Microsoft AD LDAP server is not vulnerable and is the prevalent LDAP server used with VC.

 

When upgrading to VC 4.30, keep this CA in mind http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04422904 and use VCSU 1.10.1 for the upgrade.

 

**********

 

Reply from Dennis:

 

************

 

Fred : thanks for your input.

 

Given Fred’s information I am still not feeling comfortable in deciding whether it is necessary for my customer to upgrade to VC 4.30 or not.

 

Coming back to the remark of Vincent on the browsers, customer uses IE 8.0 and  Chrome 35.0.1916.153 m.

Not sure these are the only SW/things to look at ?   …..  but for those I assume they don’t use OpenSSL ?

 

Can someone confirm this and//or provide any additional information  to look for, in deciding for the need of VC 4.30 ?

 

Many thanks in advance.

 

*************

 

From Vincent:

 

***************

 

Dennis,

 

Fred said "No version of VC contains the OpenSSL server vulnerability mentioned in the CVE ". That means when you're connecting to VCM with a Web browser (when VCM acts as a SSL server), you are NOT vulnerable, regardless of the browser using OpenSSL or not (and none of the browsers you mention do, the only somewhat common browser that uses OpenSSL is Chrome on Android devices, but again this is irrelevant here).

 

It's only when VC acts as SSL *client*, typically to an LDAP server, that versions < 4.30 are potentially vulnerable if the other end is vulnerable too. So if your customer doesn't use an external directory, or even if they do and that directory is Microsoft AD and not OpenLDAP, they're not exposed either.

Clearer ?

 

************

 

Reply from Dennis:

 

************

 

Vincent / Fred, thanks. That will do it for me.

 

*************

 

Comments?

 

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.