Security Advisories
FSC-2014-6: Notice on Multiple OpenSSL Vulnerabilities
Description
OpenSSL has released new update for version 0.9.8, 1.0.0 and 1.0.1 which fixes 7 vulnerabilities. No known public exploits were found in the wild and no certificate change is required. Detailed explanation of the vulnerabilities can be found in the announcement.
Announcement: https://www.openssl.org/news/secadv_20140605.txt
Affected Products
- Risk Level (Low/Medium/High/Cricital) See table under More Information section.
Corporate products:
- F-Secure Server Security / Email Server Security 10.00 - 11.00
- F-Secure PSB Server Security / Email Server Security 9.20 – 10.00
- F-Secure Messaging Secure Gateway 7.1 – 7.5
- F-Secure Protection Service for Email 7.1 – 7.5
Consumer products:
- F-Secure Key for Windows and Mac OS X
- F-Secure Search
- Safe Profile
- F-Secure Freedome for Android
Platforms
- Risk Level (Low/Medium/High/Cricital) See table under More Information section.
- Safe Avenue
More Information
This advisory will be updated as more information becomes available.
Note: Products and platforms not listed in this advisory are NOT affected by any of the vulnerabilities mentioned in the OpenSSL announcement.
User Interaction Required
The following products / platforms are affected by one or more of the listed vulnerabilities and require user interaction.
| Product/Platform | CVE | Risk Level | Remarks |
|---|---|---|---|
| F-Secure Server Security | CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 |
Low | Download and apply corresponding hotfix. See "Fix Available" section. |
| F-Secure Email Server Security | CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 |
Low | Download and apply corresponding hotfix. See "Fix Available" section. |
| F-Secure PSB Server Security | CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 |
Low | Multifix has been deployed and made available. - Version 10.00 - PSBESS1000_MF02 |
| F-Secure PSB Email Server Security | CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 |
Low | Multifix has been deployed and made available. - Version 10.00 - PSBESS1000_MF02 |
| F-Secure Messaging Security Gateway |
- | Low | Verify that patch has been installed on the device. - MSG Version 7.1 - Patch 1923 - MSG Version 7.2 - Patch 1924 - MSG Version 7.5 - Patch 1925 |
| F-Secure Protection Service for Email |
- | Low | Verify that patch has been installed on the device. - MSG Version 7.1 - Patch 1923 |
| F-Secure Key for Windows and Mac OS X | - | Low | Download the latest version of F-Secure Key with updated OpenSSL version from here: http://www.f-secure.com/en/web/home_global/key |
User Interaction Not Required
The following products/platforms are affected by one or more of the listed vulnerabilities and do not require user interaction.
| Product/Platform | CVE | Risk Level | Remarks |
|---|---|---|---|
| F-Secure Search |
- | Low | F-Secure Search server have been updated with the latest OpenSSL version. |
| Safe Profile | - | Low | Safe Profile server have been updated with the latest OpenSSL version. |
| Safe Avenue | - | Low | Safe Avenue server have been updated with the latest OpenSSL version. |
| F-Secure Freedome for Android | - | Low | Freedome servers have been updated with the latest OpenSSL version. As the Man-in-the-Middle attack only works if both server and client are vulnerable, the product is currently not vulnerable. Updated OpenSSL will be included in the next Android version release. |
Fix Available
| Product | Versions | Fix |
|---|---|---|
| F-Secure Email and Server Security | 10.x – 11.00 | Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF02-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF02-signed.jar |
| F-Secure Email and Server Security Premium | 11.00 | Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF02-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF02-signed.jar |
| F-Secure Server Security | 10.x – 11.00 | Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF02-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF02-signed.jar |
| F-Secure Server Security Premium | 11.00 | Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF02-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF02-signed.jar |
Applying Hotfix
Standalone computers:
- Double-click on the downloaded .fsfix file and follow the instructions.
Centrally managed computers:
- In F-Secure Policy Manager Console, select Installation tab. Import the downloaded .jar file.
- Select appropriate domain or host.
- Under "Installed products summary", use "hotfix" action for F-Secure E-Mail and Server Security product.
- Select this hotfix and distribute policies.
Advisory Changes
| Date | Changes |
|---|---|
| 11th June 2014 | First advisory published. |
| 19th June 2014 | Added hotfix download URL for affected corporate products Updated development status of Multifix for F-Secure PSB products. |
| 3rd July 2014 | Updated development status of Multifix for F-Secure PSB products. |
Date Issued: 20yy-mm-dd
Date Updated: 20yy-mm-dd