What is Heartbleed?
The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many web sites and other applications such as email, instant messaging and VPNs.
Heartbleed allows an attacker to read the memory of systems using certain versions of OpenSSL, potentially allowing them to access usernames, password, or even the secret security keys of the server. Obtaining these keys can allow malicious users to observe all communications on that system, allowing further exploit.
Who is impacted by Heartbleed?
Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL versions 1.0.1 through 1.0.1f in that period is likely vulnerable to the Heartbleed Bug and should take immediate steps to remediate.
While there are some initial reports of attacks based on the Heartbleed vulnerability, these are preliminary reports and it should be noted that it is very difficult to determine if this attack has occurred in the past. Accordingly, even if an organization is not currently vulnerable, it may have been in the past and it should therefore take immediate steps to remediate if they have deployed the vulnerable OpenSSL versions.
Because some of Trend Micro’s products are using the affected OpenSSL version, these products are affected by this vulnerability. This article contains the list of products that are affected and the recommended action to take to eliminate the risks. Also included in this article is a list of products that are not affected by this vulnerability.
What Trend Micro products are affected?
| Product/Version | Component Affected | Severity | Solution/Additional Information |
|---|---|---|---|
| Deep Security 8.0, 9.0 | Deep Security Relay (DSR) | Very Low | Critical Patch |
| SafeSync for Enterprise 2.1 | Windows Client | NA | Critical Patch |
| Serverprotect for Linux (SPLX) 3.0 | Admin UI | Very Low | Critical Patch |
| Endpoint Application Control (TMEAC) 1.0 | Apache Tomcat web server package | Low | Critical Patch |
| Portable Security (TMPS) 2.0 | Remote Communication Module | Low | Critical Patch |
| House Call 8.0 | SmartScan | Very Low | Fixed through ActiveUpdate (AU) |
| InterScan Messaging Security Suite (IMSS) for Linux 7.1 SP1 | SmartScan | Very Low | Critical patch will be released on May 15 |
| InterScan Messaging Security Virtual Appliance (IMSVA) 8.5 and 8.5 SP1 | SmartScan | Very Low | Critical patch will be released on May 15 |
| OfficeScan (OSCE) 11.0* | SmartScan | Very Low | Critical Patch |
| Titanium 7.0 and 7.2 | SmartScan | Very Low | Fixed via Active Update (AU) |
| Worry Free Business Security (WFBS) 9.0* | SmartScan | Very Low | Repacked full installer as well as Critical Patch 1439 |
Affected only if the server is configured to use SmartScan as the default scan method. When traditional scan is used, the product is not affected by the vulnerability.
What Trend Micro products are not affected?
| Product | Version | Affected? | Notes |
|---|---|---|---|
| Advanced Reporting and Management (ARM) | 1.0, 1.5, 1.6 | No | Not using OpenSSL 1.01~1.01f |
| Case Diagnostic Tool (CDT) | 2.0, 2.6 | No | Not using OpenSSL |
| Core Protection Module (CPM) | 1.6, 10.5, 10.6, 10.6 SP1, 10.6 SP2 | No | Not using OpenSSL 1.01~1.01f |
| Core Protection Module (CPM) for Mac | 1.1 | No | Not using OpenSSL 1.01~1.01f |
| CSC (Stargate) | 6.6 | No | Not using OpenSSL 1.01~1.01f |
| DDA (Deep Discovery Advisor) | 2.95, 3.0, 3.0 SP1, 3.1 | No | Not using OpenSSL 1.01~1.01f |
| DDI (Deep Discovery Inspector) | 3.0, 3.1, 3.2, 3.5, 3.6 | No | Not using OpenSSL 1.01~1.01f |
| Deep Edge 300 | 1.5, 2.0, 2.1 | No | Not using OpenSSL 1.01~1.01f |
| Deep Security for Web Apps | 2 | No | Not using OpenSSL |
| Data Loss Prevention (DLP) | 3.1, 5.0, 5.2, 5.5, 5.6, 5.7 | No | Not using OpenSSL 1.01~1.01f |
| Email Security Platform for Service Providers - White Label | 3 | No | Not using OpenSSL 1.01~1.01f |
| eManager | 5.22, 5.5, 5.7, 6, 6.6, 6.7 | No | Not using OpenSSL |
| eManager(V6.8+) | 6.8, 7.0, 7.1, 7.5 | No | Not using OpenSSL 1.01~1.01f |
| Facebook Privacy Scan App (FPSA) | No | Not using OpenSSL 1.01~1.01f | |
| Hosted Email Security (IMHS) | 1.9, 2.0 | No | Not using OpenSSL 1.01~1.01f |
| HouseCall | 7.1 | No | Not using OpenSSL |
| HouseCall_OEM | 7.1 JP | No | Not using OpenSSL |
| InterScan Gateway Security Appliance (IGSA) | 1.5(TW, JP) | No | Not using OpenSSL 1.01~1.01f |
| IM Security | 1.5, 1.51 | No | Not using OpenSSL |
| InterScan Messaging Security Appliance (IMSA) | 7 | No | Not using OpenSSL 1.01~1.01f |
| InterScan Messaging Security Suite (IMSS) | 7.0, 7.0 SP1,7.1, 7.1 SP1 Win | No | Not using OpenSSL 1.01~1.01f |
| InterScan Messaging Security Virtual Appliance (IMSVA) | 7.0, 8.0, 8.2 | No | Not using OpenSSL 1.01~1.01f |
| ISSS (Integrated Smart Scan Server) | 1 | No | Not using OpenSSL 1.01~1.01f |
| InterScan VirusWall (ISVW) | 7 | No | Not using OpenSSL 1.01~1.01f |
| ISVW for SMB | 7 | No | Not using OpenSSL 1.01~1.01f |
| iTIS | 2 | No | Not using OpenSSL |
| iTIS | 3 | No | Not using OpenSSL |
| iTMMS | 1 | No | Not using OpenSSL 1.01~1.01f |
| InterScan Web Security Appliance (IWSA) | 3.1 SP1 | No | Not using OpenSSL 1.01~1.01f |
| InterScan Web Security as a Service (IWSaaS) | 1.8 | No | Not using OpenSSL 1.01~1.01f |
| InterScan Web Security Suite (IWSS) | 3.1 | No | Not using OpenSSL 1.01~1.01f |
| InterScan Web Security Virtual Appliance (IWSVA) | 5.0, 5.1, 5.5, 5.6, 6.0(EN) | No | Not using OpenSSL 1.01~1.01f |
| Licensing Management Portal (LMP) | No | Not using OpenSSL | |
| Network VirusWall Enforcer (NVWE) | 1.3(JP), 1.8(JP), 2.0 & SP1 ,3.0, 3.1(EN), 3.2(EN, JP) | No | Not using OpenSSL 1.01~1.01f |
| OfficeScan (OSCE) | 8.0 SP1, 10, 10 SP1, 10.5, 10.6, 10.6 SP1, 10.6 SP2, 10.6 SP3 | No | Not using OpenSSL 1.01~1.01f |
| OfficeScan (OSCE) Toolbox | 1 | No | Not using OpenSSL 1.01~1.01f |
| PortalProtect | 2.0, 2.1 | No | Not using OpenSSL |
| PortalProtect | 2.0, 2.1 | No | Not using OpenSSL |
| ProtectLink | 1 | No | Not using OpenSSL 1.01~1.01f |
| Rootkit Buster | No | Not using OpenSSL | |
| SafeSync | 5 | No | Not using OpenSSL 1.01~1.01f |
| SafeSync for Business | 5.1 | No | Not using OpenSSL 1.01~1.01f |
| SafeSync for xSP | 2 | No | Not using OpenSSL 1.01~1.01f |
| SafeSync Mobile | 1.2 | No | Not using OpenSSL 1.01~1.01f |
| ScanMail for Exchange (SMEX) | 10, 10 SP1, 10.2, 10.2 SP2, 11 | No | Not using OpenSSL |
| ScanMail for IBM Domino (SMID) | 5.6 | No | Not using OpenSSL 1.01~1.01f |
| ScanMail for Lotus Domino (SMLD) | 3.0, 3.1, 5.0, 5.5 | No | Not using OpenSSL 1.01~1.01f |
| ScanMail Mobile Security for Exchange (SMMS) | 1 | No | Not using OpenSSL |
| SecureCloud | 2.0, 3.0, 3.5, 3.6 | No | Not using OpenSSL 1.01~1.01f |
| ServerProtect Windows/Netware (SPNT) | 5.7, 5.8 | No | Not using OpenSSL |
| Smart Protection Server (SPS) | 3.0 | No | Not using OpenSSL 1.01~1.01f |
| Smart Surfing | 1.6 | No | Not using OpenSSL |
| Threat Discovery Appliance (TDA) | 2, 2.5, 2.55, 2.6 | No | Not using OpenSSL 1.01~1.01f |
| Titanium/TIS | Titanium (6.x/5.x/3.x/2.x), TIS(17.x/16.x) | No | Not using OpenSSL 1.01~1.01f |
| Control Manager (TMCM) | 5.5, 6.0, 6.0 SP1 | No | Not using OpenSSL 1.01~1.01f |
| TMDP (Direct Pass) | 1.36, 1.8, 1.9 | No | Not using OpenSSL |
| Endpoint Encryption (TMEE) | 5.5, 5.6, 5.7, 5.8 | No | Not using OpenSSL |
| Endpoint Encryption (TMEE) Data Armor | 3.0, 5.0 | No | Not using OpenSSL |
| Endpoint Encryption (TMEE) Drive Armor | 3.0, 5.0 | No | Not using OpenSSL |
| Endpoint Encryption (TMEE) File Armor | 3.0, 5.0 | No | Not using OpenSSL |
| Endpoint Encryption (TMEE) Key Armor | 3.0, 5.0 | No | Not using OpenSSL |
| Endpoint Encryption (TMEE) Policy Server | 3.1, 5.0 | No | Not using OpenSSL |
| Trend Micro Email Encryption Gateway (TMEEG) | 5, 5.5 | No | Not using OpenSSL 1.01~1.01f |
| Information Center (TMIC) | 2.5 | No | Not using OpenSSL 1.01~1.01f |
| Mobile Backup and Restore (MBR) | 1.2, 1.3.1, 1.4 | No | Not using OpenSSL 1.01~1.01f |
| Mobile Security (TMMS) for Cellcom | 2.1 | No | Not using OpenSSL 1.01~1.01f |
| Mobile Security (TMMS) for Consumer | 1.2, 2.0, 2.1, 2.2, 2.5, 2.6, 3.0, 3.1, 3.5, 5.05 | No | Not using OpenSSL |
| Mobile Security (TMMS) for Enterprise | 5.0, 5.1,5.5, 7.0, 7.1, 8.0, 9.0 | No | Not using OpenSSL 1.01~1.01f |
| Mobile Security (TMMS) for KDDI | 2.0, 2.1 | No | Not using OpenSSL |
| Mobile Security (TMMS) for NTTW | 2.0, 2.0.1 | No | Not using OpenSSL |
| Mobile Security (TMMS) for OEM | 2.1, 2.1.1, 2.2, 3.1, 3.5 | No | Not using OpenSSL |
| Online Guardian (TMOG) | 1.0, 1.5, 1.6,1.8 | No | Not using OpenSSL |
| Online Guardian (TMOG)-Server | 1 | No | Not using OpenSSL |
| Trend Micro Kids Safety Protection for PS3 | 1 | No | Not using OpenSSL |
| Trend Micro Longevity | 3 | No | Not using OpenSSL |
| Trend Micro Web Security for PS3 | 1 | No | Not using OpenSSL |
| Trend Secure - My Account | No | Not using OpenSSL 1.01~1.01f | |
| Worry-Free Business Security Standard/Advanced (WFBS) | 5.1, 6.0, 7.0, 8.0 | No | Not using OpenSSL 1.01~1.01f |
| WFMS | 2 | No | Not using OpenSSL 1.01~1.01f |
| Worry-Free Remote Manager (WFRM) | 2.5, 2.6, 3.0, 3.1 | No | Not using OpenSSL 1.01~1.01f |
What if my product is not listed?
If the product has not reached End-of-Support, it is most likely that Trend Micro is still analyzing the vulnerability and it’s impact on your product. As soon as the analysis is completed, the product will be added in the list.
What if I have additional questions?
For additional inquiries, contact Trend Micro Technical Support.
