OpenSSL has released new update for version 0.9.8, 1.0.0 and 1.0.1 which fixes 7 vulnerabilities. No known public exploits were found in the wild and no certificate change is required. Detailed explanation of the vulnerabilities can be found in the announcement.
Announcement: https://www.openssl.org/news/secadv_20140605.txt
Corporate products:
Consumer products:
This advisory will be updated as more information becomes available.
Note: Products and platforms not listed in this advisory are NOT affected by any of the vulnerabilities mentioned in the OpenSSL announcement.
The following products / platforms are affected by one or more of the listed vulnerabilities and require user interaction.
Product/Platform | CVE | Risk Level | Remarks |
---|---|---|---|
F-Secure Server Security | CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 |
Low | Download and apply corresponding hotfix. See "Fix Available" section. |
F-Secure Email Server Security | CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 |
Low | Download and apply corresponding hotfix. See "Fix Available" section. |
F-Secure PSB Server Security | CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 |
Low | Multifix has been deployed and made available. - Version 10.00 - PSBESS1000_MF02 |
F-Secure PSB Email Server Security | CVE-2014-0224 CVE-2014-0195 CVE-2014-3470 |
Low | Multifix has been deployed and made available. - Version 10.00 - PSBESS1000_MF02 |
F-Secure Messaging Security Gateway |
- | Low | Verify that patch has been installed on the device. - MSG Version 7.1 - Patch 1923 - MSG Version 7.2 - Patch 1924 - MSG Version 7.5 - Patch 1925 |
F-Secure Protection Service for Email |
- | Low | Verify that patch has been installed on the device. - MSG Version 7.1 - Patch 1923 |
F-Secure Key for Windows and Mac OS X | - | Low | Download the latest version of F-Secure Key with updated OpenSSL version from here: http://www.f-secure.com/en/web/home_global/key |
The following products/platforms are affected by one or more of the listed vulnerabilities and do not require user interaction.
Product/Platform | CVE | Risk Level | Remarks |
---|---|---|---|
F-Secure Search |
- | Low | F-Secure Search server have been updated with the latest OpenSSL version. |
Safe Profile | - | Low | Safe Profile server have been updated with the latest OpenSSL version. |
Safe Avenue | - | Low | Safe Avenue server have been updated with the latest OpenSSL version. |
F-Secure Freedome for Android | - | Low | Freedome servers have been updated with the latest OpenSSL version. As the Man-in-the-Middle attack only works if both server and client are vulnerable, the product is currently not vulnerable. Updated OpenSSL will be included in the next Android version release. |
Product | Versions | Fix |
---|---|---|
F-Secure Email and Server Security | 10.x – 11.00 | Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF02-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSESS1100-HF02-signed.jar |
F-Secure Email and Server Security Premium | 11.00 | Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF02-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSESSPR1100-HF02-signed.jar |
F-Secure Server Security | 10.x – 11.00 | Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF02-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSSS1100-HF02-signed.jar |
F-Secure Server Security Premium | 11.00 | Hotfix: ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF02-signed.fsfix ftp://ftp.f-secure.com/support/hotfix/fsss/FSSSPR1100-HF02-signed.jar |
Standalone computers:
Centrally managed computers:
Date | Changes |
---|---|
11th June 2014 | First advisory published. |
19th June 2014 | Added hotfix download URL for affected corporate products Updated development status of Multifix for F-Secure PSB products. |
3rd July 2014 | Updated development status of Multifix for F-Secure PSB products. |
Date Issued: 20yy-mm-dd
Date Updated: 20yy-mm-dd