This vulnerability has been reported to impact the following OpenSSH versions and configurations:
- OpenSSH versions 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2
- In addition, only applications that directly call the SSL_select_next_proto function with 8 length list of supported client protocols are affected.
Trend Micro Products/Services Potentially Affected
Trend Micro is currently doing an inventory/investigation to see if any Trend Micro products and/or services may be affected by this vulnerability.
Below is the confirmed list of unaffected products. Products not listed may still be under investigation, and any additional information will be added here as necessary.
Several 3rd party vulnerability scanners may flag some of the following products as "affected" by this vulnerability. It is important to note that many, if not all, of these vulnerability scanners only search for library or component versions and DO NOT or CANNOT take into consideration the actual configuration, context and/or scenarios that make a certain component "vulnerable" to a particular exploit.
In our analysis, Trend Micro takes into account the entire scenario necessary to exploit a particular vulnerability in making a determination of whether or not a particular product may be vulnerable to a specific vulnerability. In this case, any flagging by a 3rd party vulnerability scanner on one of the mentioned products that are marked "Not Affected" should be treated as a False Positive.
In our analysis, Trend Micro takes into account the entire scenario necessary to exploit a particular vulnerability in making a determination of whether or not a particular product may be vulnerable to a specific vulnerability. In this case, any flagging by a 3rd party vulnerability scanner on one of the mentioned products that are marked "Not Affected" should be treated as a False Positive.
| Trend Micro Product/Service | Status |
|---|---|
| Cloud One - Endpoint Workload Security (Deep Security Agent) | Not Affected |
| Deep Security Agent | Not Affected |