Attachmate Security Update for OpenSSL 'Heartbleed' Vulnerability CVE-2014-0160

  • 7021974
  • 09-Apr-2014
  • 02-Mar-2018

Environment

All Attachmate products

Situation

This technical note describes the OpenSSL 'Heartbleed' vulnerability, lists the affected Attachmate products, and provides links to resources for additional information and mitigations.

Resolution

OpenSSL 'Heartbleed' Vulnerability and Attachmate Products

According to the Vulnerability Notes Database, "OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as 'heartbleed.'" This vulnerability can leak up to 64K bytes of the contents from system RAM with each heartbeat exchange.

Some Attachmate products (both licensed and evaluation software, listed below) are affected by this vulnerability. Note the following:

  • In most Attachmate products, this vulnerability affects only certain TLS 1.2 connections.
  • Products using SSH protocol connections are not affected.
  • This vulnerability is a greater concern for servers than clients, because clients authenticate the host before any TLS heartbeat is negotiated, whereas servers accept TLS connections from any client and so can be immediately exploited.

Products Affected

The following products and versions are affected by this vulnerability when TLS protocol connections are used.

Product and Version
Status
More Info
Verastream Host Integrator version 7.6
Fixed in version 7.6.49
2700
Reflection for Secure IT Web Edition version 8.1
Hotfix is available upon request
2288
Reflection for NonStop 2014 Add-On
Fixed in R1+SP1 (version 15.6.1.746)
2502
EXTRA! 6530 Client Option 9.3
Fixed in 9.3 SP1 (version 9.3.1.2612)
2501

The following products either support TLS 1.2 connections or contain products or components that do. These products are affected by this vulnerability, only when TLS 1.2 connections are used. All the products listed include the Reflection FTP Client (version 14.1 SP3 or 15.6), which is affected only when making a TLS 1.2 connection to a malicious server. See KB 7021489 for information about how to determine if your Reflection connections use TLS 1.2.

Product and Version
Status
More Info
Reflection 2014 R1
Reflection 2014 Pro R1
Reflection X 2014 R1
Reflection for IBM 2014 R1
Reflection for UNIX and OpenVMS 2014 R1

Fixed in version 15.6.0.660 *
2502
Reflection for UNIX and OpenVMS 14.1 SP3
Reflection for IBM 14.1 SP3
Reflection for HP 14.1 SP3
Reflection X 14.1 SP3
Reflection Suite for X 14.1 SP3
Reflection for the Multi-Host Professional Edition 14.1 SP3
Reflection for the Multi-Host Standard Edition 14.1 SP3

Fixed in Update 14.1.3.247 **
1708

*You can identify the Reflection 2014 update has been installed by version “15.6.660” in Control Panel > Programs > Programs and Features (or Control Panel > Add or Remove Programs).

**You can identify the Reflection 14.1.3.247 update has been installed by version “14.1.3247” in Control Panel > Programs > Programs and Features (or Control Panel > Add or Remove Programs).

Products Not Affected, but Include Reflection FTP Client

The following products are not themselves affected by the vulnerability, but do include the Reflection FTP Client (version 14.1 SP3 or 15.6), which is affected only when making a TLS 1.2 connection to a malicious server.

Product and Version
Status
More Info
Reflection for Secure IT Windows Client 7.2 SP3 is not affected, however the Reflection FTP Client included with it is affected, but only when making a TLS 1.2 connection to a malicious server.
Fixed in Update 7.2.3222
2288
INFOConnect 9.2 is not affected, however the Reflection FTP Client included with it is affected, but only when making a TLS 1.2 connection to a malicious server.
Fixed in version 9.2.0.1172
2546
EXTRA! X-treme 9.3 is not affected, however the Reflection FTP Client included with it is affected, but only when making a TLS 1.2 connection to a malicious server.
Fixed in FTP Client Update 14.1.3.247
2501
Verastream Bridge Integrator is not affected, however Verastream Bridge Integrator that includes Reflection for Secure IT Windows Client 7.2 SP3 is affected because the Reflection FTP Client included with Reflection for Secure IT Windows Client 7.2 SP3 is affected, but only when making a TLS 1.2 connection to a malicious server.
Fixed in SSH Update 7.2.3222
2288

For information about security updates and your product, see your product's security updates technical note available from http://support.microfocus.com/security/.

Products Not Affected

The following products are not affected by the Heartbleed vulnerability:

Product and Version
Status
Earlier versions of the products listed in Products Affected
Not affected
Reflection 2011 products, all versions
Not affected
Reflection for the Web 2014, 2011, or 2008, all versions
Not affected
Reflection Security Gateway 2014 or 2011, all versions
Not affected
Reflection for Secure IT Server for Windows, all versions
Not affected
Reflection for Secure IT UNIX Client and Server, all versions
Not affected
DATABridge, all versions
Not affected
Verastream Process Designer, all versions
Not affected
Verastream SDK for Unisys and Airlines, all versions
Not affected
FileXpress products; exception noted below *
Not affected *

* Some FileXpress Bundles include Reflection for Secure IT Web Edition 8.1, which is affected by the vulnerability. A hotfix is available upon request for Reflection for Secure IT Web Edition 8.1. Contact Attachmate Technical Support.

Attachmate Web Sites Not Affected

Attachmate web sites that support HTTPS connections are not and have never been subject to this vulnerability.

Additional Resources

For more details and the latest information on mitigations, see the following:

US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A

CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951

National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Subscribe to Updates

To receive updates for your product, you can subscribe to the RSS feeds available on the Attachmate support site. For details, see Technical Note 0203.

Status

Security Alert

Additional Information

Legacy KB ID

This article was originally published as Attachmate technical note 2724.