Dear Live Assist Customers and Partners:
Live Assist software does not incorporate a version of the OpenSSL package affected by the Heartbleed vulnerability.
Issue Description:
OpenSSL Heartbleed vulnerability is characterized by CVE ID: CVE-2014-0160 (https://cve.mitre.org/cgi-
OpenSSL versions 1.0.1 through 1.0.1f have contain the issue. OpenSSL has confirmed the vulnerability and has released a fix and now that fix has to be deployed (https://www.openssl.org/news/
"The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The attacker could then send a specially-crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords."
CafeX Software, Server and Solution components:
CafeX software (Mobile Advisor) includes a version of OpenSSL. This version of OpenSSL does not contain the Heartbleed vulnerability. As such Fusion Application Server (FAS) and the applications residing upon (Web Gateway, Palettes, Live Assist) are not subject to the issue. Media Broker does not use OpenSSL for encryption for server control communications to and from the Web Gateway.
The JBoss repository containing the OpenSSL library, Live Assist ships as part of Fusion Application Server was updated in Feb 2012. The declared included version predates the introduction of the vulnerability. For more specific detail, you may refer to the RedHat advisory. (https://access.redhat.com/site/announcements/781953 )
Fusion Client SDK for iOS & Android
The CafeX client libraries ship with a version of OpenSSL that is affected by the heart bleed bug. However, our use of the OpenSSL library on these platforms is limited to internal use and is not used to make or receive SSL connections. In these cases, the underlying native encryption libraries are used.
Fusion Client SDK for iOS & Android
The CafeX client libraries ship with a version of OpenSSL that is affected by the heart bleed bug. However, our use of the OpenSSL library on these platforms is limited to internal use and is not used to make or receive SSL connections. In these cases, the underlying native encryption libraries are used.
iOS does not use OpenSSL and therefore iOS clients are not subject to the Heartbleed vulnerability.Android 4.1 onwards includes OpenSSL. All versions except 4.1.1 have SSL heartbeats disabled. As such Android 4.1.1 is effected by heart bleed bug (about 10% of Android devices) while other versions are not. (See Google blog posthttp://googleonlinesecurity.blogspot.co.uk/2014/04/google- )services-updated-to-address. html
Browser WebRTC clients
Neither Google Chrome or Mozilla Firefox are affected by the heart bleed bug per their advisories http://
Reverse Proxies used in Live Assist architectures:
As a reverse proxy is deployed and required with the Live Assist's Web Gateway or Palettes Server, this may also contribute to risk. F5 BIG-IP does not use OpenSSL and is therefore not affected by the heart bleed bug. Open source reverse proxy implementations such as Apache HTTPD or Nginx depends OpenSSL versions 1.0.1 through 1.01f. It is likely installs built in the last two years will include a version of OpenSSL affected by the heart bleed bug and should be patched. Nginx provide a useful guidehttp://nginx.com/blog/nginx-
Cisco Systems response:
In addition, Cisco maintains an Cisco Event Response Page with details and network mitigations about the vulnerability. (http://tools.cisco.com/
If you require further information please contact Customer Support.
Comments
0 comments
Please sign in to leave a comment.