Riverbed products affected by OpenSSL CVE-2014-0160 (Heartbleed Vulnerability)

Categories: Product, Security
Solution Number: S23635

Issue

The OpenSSL project has issued a CVE with regards to memory-contents leakage in the TLS heartbeat extension. CVE-2014-0160, also known as the heartbleed vulnerability, affects products using the OpenSSL library versions 1.0.1 and 1.0.2.

For more information, please see http://heartbleed.com/.

For a possible method to detect a heartbleed exploit, please see Riverbed's blog post How to Detect a Prior Heartbleed Exploit.

 

Please note: To receive real-time updates on this article, please click the Subscribe icon in the upper right corner of this article. Updates will be emailed to you as they are published. For additional information on how to subscribe, see S22384.

 

Solution

Riverbed is actively working on identifying and resolving this OpenSSL CVE across all vulnerable products. As each product is updated, tested, and released, we will update this knowledge base article. Check back periodically to learn when updates to the products you use become available.

SteelheadRPM | Granite | Whitewater | Web | Riverbed Open Source | Xirrus WiFi

 


Steelhead products:

The included web server for the HTTPS management interface in the following Riverbed products is affected by this CVE. No other versions are affected.

  • Steelhead appliance and Steelhead virtual appliance: running versions RiOS 8.5.0 through RiOS 8.5.2b and RiOS 8.5.2-dx.  
    • RiOS 8.5.2c and RiOS 8.6.0 eliminate this vulnerability and are now available. Please refer to Solution S23732 for information on steps to take after upgrading to this release (or later).
  • Steelhead appliance: running versions EX 3.0.0 through EX 3.1.1. 
    • Steelhead EX 3.1.2 And Steelhead EX 3.5.0 eliminate this vulnerability and is now available. Please refer to Solution S23732 for information on steps to take after upgrading to this release (or later).
  • Cloud Steelhead appliance: running versions RiOS 8.5.0 through RiOS 8.5.2b. 
    • RiOS 8.5.2c and RiOS 8.6.0 eliminate this vulnerability and are now available. Please refer to Solution S23732 for information on steps to take after upgrading to this release (or later).
  • Central Management Console (CMC) appliance: running versions 8.5.0 through 8.5.0b.
    • CMC 8.5.0c eliminates this vulnerability and is now available. Please refer to Solution S23744 for information on steps to take after upgrading to this release (or later).

Important note: the Steelhead optimization services for SSL encrypted traffic are also impacted by this vulnerability for the noted versions above. 

If you are unable to upgrade and follow the mitigation steps above at this time, you can take precautionary steps to mitigate the vulnerability:

  • Use SSH rather than HTTPS on the management interface (if your management interface is not Internet-accessible, then you may consider skipping this recommendation). 
  • Disable optimization of SSL applications for the Steelhead products above.

Confirmed not affected (all versions):

  • Interceptor
  • Steelhead Mobile Controller/Steelhead Mobile
  • Steelhead Cloud Accelerator: As long as the on-premise Steelheads being used for SCA optimization are not running an affected RiOS version, there is no issue with SCA due to OpenSSL heartbleed.

Back to top

 


RPM products (Cascade & OPNET):

The included web server for the HTTPS management interface and access to the REST API in the following Riverbed products are affected by this CVE. No other versions are affected.

  • Cascade Enterprise Profiler: running versions 9.6.0 and later.
     
  • Cascade Profiler appliance and Virtual Edition: running versions 9.6.0 and later.
     
  • Cascade Profiler Express: running versions 9.6.0 and later.
     
  • Cascade Profiler Express460 appliance and Virtual Edition: running versions 9.6.0 and later.
     
  • Cascade Profiler Gateway appliance and Virtual Edition: running versions 9.6.0 and later.
     
  • Cascade Sensor appliance and Virtual Edition: running versions 9.6.0 and later.
     
  • Cascade Shark appliance and Virtual Edition: running versions 9.6.0 and later.

In addition, the following functionality is also affected by this vulnerability for the affected versions above:

  • Communication between Enterprise Profiler components.
     
  • Communication between Profiler and any Profiler Gateway or Shark.
     
  • Communication between Pilot and Shark.

Riverbed has released versions 10.6.1 and 10.0.8 with the mitigation for this issue for all of the Cascade products above. Please refer to Solution S23735 for information on steps to take after upgrading to 10.6.1 (or later).

  • AppResponse Xpert: Although AppResponse 8.6.8 will not appear to be vulnerable in a standard Heartbleed attack or vulnerability scan, a more sophisticated and non-standard attack could execute a Heartbleed exploit against AppResponse 8.6.8. No other versions are affected. 
    • This specifically affects only High Speed Capture functionality used for packet file downloads via AppTransaction Xpert.
    • Patch patchAV-a210-R868-openssl-001 addresses this, and this patch is now available via the AppResponse "Update Center" in the Java UI.
    • If you do not have direct access to the Internet, the patch can also be downloaded via the following URL and then manually installed:
  • AppResponse Xpert Browser Metrix (SaaS Edition): Data collection capabilities were vulnerable to this issue until service was patched on 9-April-2014 at approximately 02:00AM PDT (09:00 UTC).

Confirmed not affected (all versions):

  • Cascade Pilot
  • AppInternals Xpert
  • AppMapper Xpert
  • AppSensor Xpert
  • AppSQL Xpert
  • AppTransaction Xpert
  • AppResponse Xpert Browser Metrix (on-premise)
  • Dashboards
  • Guru
  • License Server
  • Modeler
  • nCompass
  • NetMapper
  • OAS
  • Packet Trace Warehouse
  • Report Server
  • Sentinel
  • Trace Transaction Warehouse
  • Transaction Trace Analyzer
  • Unified Communications Xpert
  • VNE Server

Back to top

 


Granite products:

The included web server for the HTTPS management interface in the following Riverbed products is affected by this CVE. No other versions are affected.

  • Granite Core: running 2.6.0 and 2.6.0a.
     
  • Virtual Granite Core: running 2.6.0 and 2.6.0a.

Granite 2.6.0b and Granite 3.0.0 eliminate this vulnerability and are now available. Please refer to Solution S23959 for information on steps to take after upgrading to this release (or later).

Back to top

 


Whitewater products:

Whitewater versions 3.1.0 through 3.1.1:

  • The included web server for the HTTPS management interface is affected by this CVE.
  • Cloud HTTPS connections are affected if the cloud provider has the vulnerability. At this time customers should check with the cloud providers on their response to this vulnerability. 

No other versions are affected.

Whitewater 3.1.1a eliminates this vulnerability and is now available. Please refer to Solution S23750 for information on steps to take after upgrading to this release (or later).

If you are unable to upgrade and follow the mitigation steps above at this time, you can take precautionary steps to mitigate the vulnerability:

  • Use SSH rather than HTTPS on the management interface (if your management interface is not Internet-accessible, then you may consider skipping this recommendation).

Back to top

 


Riverbed websites:

  • The Riverbed Support site (support.riverbed.com) was not affected by the OpenSSL heartbeat vulnerability.
     
  • The Riverbed site (www.riverbed.com) does not utilize https and was not vulnerable to this issue. It did however, have an affected version of OpenSSL. It was upgraded to Open SSL 1.0.1g version on 8-April-2014 at 12:00pm PDT (7:00pm UTC) mitigating future exposure.
     
  • The Riverbed Cloud Portal (cloudportal.riverbed.com) - customer logins were not affected by this vulnerability.

Back to top

 


Riverbed Open Source:

Flyscript Portal: 

If the FlyScript Portal was installed using the project "flyscript-vm-config" on github:

  • Run "sudo openssl version -a" to determine if the underlying operating system (Linux Ubuntu build "precise32") is affected.
  • Run "sudo apt-get upgrade" to retrieve an updated package that is not affected.
  • Base version showing affected:
vagrant@precise32:~$ sudo openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Tue Aug 21 02:13:21 UTC 2012
platform: debian-i386
  • Patched version, post "sudo apt-get upgrade":
vagrant@precise32:~$ sudo openssl version -a
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr  7 20:31:55 UTC 2014
platform: debian-i386
If the FlyScript Portal was installed manually, customers should check the system on which the software is installed to see if it is affected.

Confirmed not affected (all versions):

All other projects at https://github.com/riverbed.

 

Back to top


Xirrus WiFi

Background
The Heartbleed Bug CVE‐2014-0160 is a serious vulnerability that could lead to malicious hackers spying on what were thought to be secure Internet communications. A programming bug in the widely used OpenSSL software library could allow information normally protected by SSL/TLS encryption to be stolen.

The type of information that could be stolen includes email addresses, passwords, and private communications – data that normally one would expect to be transmitted down the equivalent of a “secure line.”  

What must be done to clients (laptops, tablets, phones, etc.) to remediate this issue?
Nothing – the Heartbleed Bug is a server side vulnerability.

What server side actions can be done to remediate this issue?
Web servers using OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable. OpenSSL 1.0.1g, the OpenSSL 1.0.0 branch and the OpenSSL 0.9.8 branch are NOT vulnerable.

How are public-facing Xirrus products with embedded web servers affected?

Xirrus Next Gen XMS-­Cloud – https://xcs.cloud.xirrus.com not affected
Xirrus XMS-­‐Cloud – https://cloud.xirrus.com not affected
Xirrus Wi-­‐Fi Designer-­Cloud – https://wfd.cloud.xirrus.com not affected
Xirrus Support Portal – https://na3.salesforce.com not affected
Xirrus Partner Portal – https://xan.xirrus.com not affected

How are private-facing Xirrus products with embedded web servers affected?
AOS 6.7.4 on XR-­6x0 Access Points not affected
AOS 6.6.5 on XR-­5x0 AP, XR-­1K/2K/4K/6K/7K Arrays not affected
AOS 6.4.4 on XN series Arrays not affected
Other AOS Releases prior to those above not affected
XMS-Enterprise 6.7.0 for use on VMWare, HyperV, Windows  affected affected

Note that XMS­‐Enterprise 7.0, with anticipated delivery on June 1, 2014, will close Heartbleed vulnerability in XMS for use on VMWare, HyperV, and Windows.  

The risk posed by the Heartbleed vulnerability on XMS-­Enterprise until the 7.0 release is extremely low for the following reasons:
  1. XMS-­Enterprise deployments are always deployed behind an organization’s firewall – so external individuals with malicious intent cannot compromise XMS-­Enterprise unless the firewall is breeched.
  2. XMS-­Enterprise stores no personal confidential data aside from the password to the XMS-­Enterprise itself.  No social security numbers, no bank information, and no confidential information of any other sort is used by XMS-­Enterprise.
Xirrus holds the security of our customers in the highest regard.  Should you have any other questions or concerns about the Heartbleed OpenSSL vulnerability, please contact Xirrus Support at support@xirrus.com or via telephone at one the following numbers:
United States and Canada +1.800.947.7871 (US Toll Free) or
+1.805.262.1600 (Direct)
Europe, Middle East, and Africa +44.20.3239.8644
Australia 1.300.947.787 (Within Australia)
Asia and Oceania +61.2.8006.0622
Latin, Central, and South America +1.805.262.1600
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Last Modified: 2017-12-04
Can't find an answer? Create a case