Riverbed products affected by OpenSSL CVE-2014-0160 (Heartbleed Vulnerability)

The OpenSSL project has issued a CVE with regards to memory-contents leakage in the TLS heartbeat extension. CVE-2014-0160, also known as the heartbleed vulnerability, affects products using the OpenSSL library versions 1.0.1 and 1.0.2.

For more information, please see http://heartbleed.com/.

For a possible method to detect a heartbleed exploit, please see Riverbed's blog post How to Detect a Prior Heartbleed Exploit.

Please note: To receive real-time updates on this article, please click the Subscribe icon in the upper right corner of this article. Updates will be emailed to you as they are published. For additional information on how to subscribe, see S22384.

Riverbed is actively working on identifying and resolving this OpenSSL CVE across all vulnerable products. As each product is updated, tested, and released, we will update this knowledge base article. Check back periodically to learn when updates to the products you use become available.

Steelhead | RPM | Granite | Whitewater | Web | Riverbed Open Source | Xirrus WiFi

Steelhead products:

The included web server for the HTTPS management interface in the following Riverbed products is affected by this CVE. No other versions are affected.

• Steelhead appliance and Steelhead virtual appliance: running versions RiOS 8.5.0 through RiOS 8.5.2b and RiOS 8.5.2-dx.  
  • RiOS 8.5.2c and RiOS 8.6.0 eliminate this vulnerability and are now available. Please refer to Solution S23732 for information on steps to take after upgrading to this release (or later).
• Steelhead appliance: running versions EX 3.0.0 through EX 3.1.1. 
  • Steelhead EX 3.1.2 And Steelhead EX 3.5.0 eliminate this vulnerability and is now available. Please refer to Solution S23732 for information on steps to take after upgrading to this release (or later).
• Cloud Steelhead appliance: running versions RiOS 8.5.0 through RiOS 8.5.2b. 
  • RiOS 8.5.2c and RiOS 8.6.0 eliminate this vulnerability and are now available. Please refer to Solution S23732 for information on steps to take after upgrading to this release (or later).
• Central Management Console (CMC) appliance: running versions 8.5.0 through 8.5.0b.
  • CMC 8.5.0c eliminates this vulnerability and is now available. Please refer to Solution S23744 for information on steps to take after upgrading to this release (or later).

Important note: the Steelhead optimization services for SSL encrypted traffic are also impacted by this vulnerability for the noted versions above. 

If you are unable to upgrade and follow the mitigation steps above at this time, you can take precautionary steps to mitigate the vulnerability:

• Use SSH rather than HTTPS on the management interface (if your management interface is not Internet-accessible, then you may consider skipping this recommendation). 
• Disable optimization of SSL applications for the Steelhead products above.

Confirmed not affected (all versions):

• Interceptor
• Steelhead Mobile Controller/Steelhead Mobile
• Steelhead Cloud Accelerator: As long as the on-premise Steelheads being used for SCA optimization are not running an affected RiOS version, there is no issue with SCA due to OpenSSL heartbleed.

Back to top

RPM products (Cascade & OPNET):

The included web server for the HTTPS management interface and access to the REST API in the following Riverbed products are affected by this CVE. No other versions are affected.

• Cascade Enterprise Profiler: running versions 9.6.0 and later.
   
• Cascade Profiler appliance and Virtual Edition: running versions 9.6.0 and later.
   
• Cascade Profiler Express: running versions 9.6.0 and later.
   
• Cascade Profiler Express460 appliance and Virtual Edition: running versions 9.6.0 and later.
   
• Cascade Profiler Gateway appliance and Virtual Edition: running versions 9.6.0 and later.
   
• Cascade Sensor appliance and Virtual Edition: running versions 9.6.0 and later.
   
• Cascade Shark appliance and Virtual Edition: running versions 9.6.0 and later.

In addition, the following functionality is also affected by this vulnerability for the affected versions above:

• Communication between Enterprise Profiler components.
   
• Communication between Profiler and any Profiler Gateway or Shark.
   
• Communication between Pilot and Shark.

Riverbed has released versions 10.6.1 and 10.0.8 with the mitigation for this issue for all of the Cascade products above. Please refer to Solution S23735 for information on steps to take after upgrading to 10.6.1 (or later).

• AppResponse Xpert: Although AppResponse 8.6.8 will not appear to be vulnerable in a standard Heartbleed attack or vulnerability scan, a more sophisticated and non-standard attack could execute a Heartbleed exploit against AppResponse 8.6.8. No other versions are affected. 
  • This specifically affects only High Speed Capture functionality used for packet file downloads via AppTransaction Xpert.
  • Patch patchAV-a210-R868-openssl-001 addresses this, and this patch is now available via the AppResponse "Update Center" in the Java UI.
  • If you do not have direct access to the Internet, the patch can also be downloaded via the following URL and then manually installed:
        http://support.opnet.com/ace_live/insights/support/patches/8.6.2/patchAV-a210-R868-openssl-001.zip

Back to top

Granite products:

The included web server for the HTTPS management interface in the following Riverbed products is affected by this CVE. No other versions are affected.

• Granite Core: running 2.6.0 and 2.6.0a.
   
• Virtual Granite Core: running 2.6.0 and 2.6.0a.

Granite 2.6.0b and Granite 3.0.0 eliminate this vulnerability and are now available. Please refer to Solution S23959 for information on steps to take after upgrading to this release (or later).

Back to top

Whitewater products:

Whitewater versions 3.1.0 through 3.1.1:

• The included web server for the HTTPS management interface is affected by this CVE.
• Cloud HTTPS connections are affected if the cloud provider has the vulnerability. At this time customers should check with the cloud providers on their response to this vulnerability. 

No other versions are affected.

Whitewater 3.1.1a eliminates this vulnerability and is now available. Please refer to Solution S23750 for information on steps to take after upgrading to this release (or later).

If you are unable to upgrade and follow the mitigation steps above at this time, you can take precautionary steps to mitigate the vulnerability:

• Use SSH rather than HTTPS on the management interface (if your management interface is not Internet-accessible, then you may consider skipping this recommendation).

Back to top

Riverbed websites:

• The Riverbed Support site (support.riverbed.com) was not affected by the OpenSSL heartbeat vulnerability.
   
• The Riverbed site (www.riverbed.com) does not utilize https and was not vulnerable to this issue. It did however, have an affected version of OpenSSL. It was upgraded to Open SSL 1.0.1g version on 8-April-2014 at 12:00pm PDT (7:00pm UTC) mitigating future exposure.
   
• The Riverbed Cloud Portal (cloudportal.riverbed.com) - customer logins were not affected by this vulnerability.

Back to top

Riverbed Open Source:

Flyscript Portal: 

If the FlyScript Portal was installed using the project "flyscript-vm-config" on github:

• Run "sudo openssl version -a" to determine if the underlying operating system (Linux Ubuntu build "precise32") is affected.
• Run "sudo apt-get upgrade" to retrieve an updated package that is not affected.
• Base version showing affected:

• Patched version, post "sudo apt-get upgrade":

Confirmed not affected (all versions):

All other projects at https://github.com/riverbed.

Back to top

Xirrus WiFi

Background
The Heartbleed Bug CVE‐2014-0160 is a serious vulnerability that could lead to malicious hackers spying on what were thought to be secure Internet communications. A programming bug in the widely used OpenSSL software library could allow information normally protected by SSL/TLS encryption to be stolen.

The type of information that could be stolen includes email addresses, passwords, and private communications – data that normally one would expect to be transmitted down the equivalent of a “secure line.”  

What must be done to clients (laptops, tablets, phones, etc.) to remediate this issue?
Nothing – the Heartbleed Bug is a server side vulnerability.

What server side actions can be done to remediate this issue?
Web servers using OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable. OpenSSL 1.0.1g, the OpenSSL 1.0.0 branch and the OpenSSL 0.9.8 branch are NOT vulnerable.

How are public-facing Xirrus products with embedded web servers affected?

1. XMS-­Enterprise deployments are always deployed behind an organization’s firewall – so external individuals with malicious intent cannot compromise XMS-­Enterprise unless the firewall is breeched.
2. XMS-­Enterprise stores no personal confidential data aside from the password to the XMS-­Enterprise itself.  No social security numbers, no bank information, and no confidential information of any other sort is used by XMS-­Enterprise.