Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Product Security

FSC-2014-6: Notice on Multiple OpenSSL Vulnerabilities

 

Brief Description

OpenSSL has released new update for version 0.9.8, 1.0.0 and 1.0.1 which fixes 7 vulnerabilities. No known public exploits were found in the wild and no certificate change is required. Detailed explanation of the vulnerabilities can be found in the announcement.

Announcement: https://www.openssl.org/news/secadv_20140605.txt

 

Products

Risk Level: See table under More Information (Low/Medium/High/Critical)

Corporate Products

  • F-Secure Server Security / Email Server Security 10.00 - 11.00
  • F-Secure PSB Server Security / Email Server Security 9.20 – 10.00
  • F-Secure Messaging Secure Gateway 7.1 – 7.5
  • F-Secure Protection Service for Email 7.1 – 7.5


Consumer Products

  • F-Secure Key for Windows and Mac OS X
  • F-Secure Search
  • Safe Profile
  • F-Secure Freedome for Android

 

Platforms

Risk Level: See table under More Information (Low/Medium/High/Critical)

  • Safe Avenue

  

More Information

This advisory will be updated as more information becomes available.

Note: Products and platforms not listed in this advisory are NOT affected by any of the vulnerabilities mentioned in the OpenSSL announcement.

 

User Interaction Required

The following products / platforms are affected by one or more of the listed vulnerabilities and require user interaction.

Product/Platform CVE Risk level Remarks
F-Secure Server Security CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 Low Download and apply corresponding hotfix. See "Fix Available" section.
 F-Secure Email Server Security CVE-2014-0224 CVE-2014-0195 CVE-2014-3470  Low Download and apply corresponding hotfix. See "Fix Available" section.
 F-Secure PSB Server Security CVE-2014-0224 CVE-2014-0195 CVE-2014-3470  Low

Multifix has been deployed and made available.

- Version 10.00 - PSBESS1000_MF02
- Version 9.20 - PSBESS920_MF03
 F-Secure PSB Email Server Security CVE-2014-0224 CVE-2014-0195 CVE-2014-3470  Low

Multifix has been deployed and made available.

- Version 10.00 - PSBESS1000_MF02
- Version 9.20 - PSBESS920_MF03
 F-Secure Messaging Security Gateway  -  Low Verify that patch has been installed on the device.

- MSG Version 7.1 - Patch 1923
- MSG Version 7.2 - Patch 1924
- MSG Version 7.5 - Patch 1925
 F-Secure Protection Service for Email  -  Low

Verify that patch has been installed on the device.

- MSG Version 7.1 - Patch 1923
- MSG Version 7.2 - Patch 1924
- MSG Version 7.5 - Patch 1925

 F-Secure Key for Windows and Mac OS X CVE-2014-0224  Low Download the latest version of F-Secure Key with updated OpenSSL version from here: http://www.f-secure.com/en/web/home_global/key

 

User Interaction NOT required

The following products / platforms are affected by one or more of the listed vulnerabilities and do not require user interaction.

Product/Platform CVE Risk level Remarks
F-Secure Search - Low F-Secure Search server have been updated with the latest OpenSSL version.
Safe Profile - Low Safe Profile server have been updated with the latest OpenSSL version.
Safe Avenue  -  Low Safe Avenue server have been updated with the latest OpenSSL version.
F-Secure Freedome for Android CVE-2014-0224  Low Freedome servers have been updated with the latest OpenSSL version. As the Man-in-the-Middle attack only works if both server and client are vulnerable, the product is currently not vulnerable. Updated OpenSSL will be included in the next Android version release.

 

Fix Available

Product Versions Download
F-Secure Email and Server Security 10.x – 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF02-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF02-signed.jar
F-Secure Email and Server Security Premium 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF02-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF02-signed.jar
F-Secure Server Security 10.x – 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF02-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF02-signed.jar
F-Secure Server Security Premium 11.00 Hotfix:
ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF02-signed.fsfix

ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF02-signed.jar

 

Applying Hotfix

Standalone computers:

1. Double-click on the downloaded .fsfix file and follow the instructions.

 

Centrally managed computers:

1. In F-Secure Policy Manager Console, select Installation tab. Import the downloaded .jar file.

2. Select appropriate domain or host.

3. Under "Installed products summary", use "hotfix" action for F-Secure E-Mail and Server Security product.

4. Select this hotfix and distribute policies.

 

Advisory Changes

Date Changes
11th June 2014 First advisory published.
19th June 2014 Added hotfix download URL for affected corporate products
Updated development status of Multifix for F-Secure PSB products.
3rd July 2014 Updated development status of Multifix for F-Secure PSB products

 

 

Date Issued: 2014-06-11 
Date Last Modified: 2014-07-03

Get Support online

For documentation and product support, visit our Support site.