Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Trend Micro products and the Heartbleed Bug - [CVE-2014-0160] OpenSSL 1.0.1 Vulnerability

    • Updated:
    • 21 Apr 2016
    • Product/Version:
    • Control Manager 6.0
    • Deep Security 7.0
    • Deep Security 7.5
    • Deep Security 8.0
    • Deep Security 9.0
    • InterScan Messaging Security Suite 7.1 Linux
    • InterScan Messaging Security Suite 7.5 Windows
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Web Security Virtual Appliance 3.1
    • InterScan Web Security Virtual Appliance 5.0
    • InterScan Web Security Virtual Appliance 5.1
    • InterScan Web Security Virtual Appliance 5.5
    • InterScan Web Security Virtual Appliance 5.6
    • Network VirusWall 2500 2.All
    • Network VirusWall 3500i 3.0
    • OfficeScan 10.6
    • OfficeScan 11.0
    • SafeSync for Enterprise 2.1
    • ServerProtect for Linux 3.0
    • Smart Protection Server 3.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Standard
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 2012 Enterprise
    • Windows 2012 Standard
Summary

What is Heartbleed?

The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many web sites and other applications such as email, instant messaging and VPNs.
Heartbleed allows an attacker to read the memory of systems using certain versions of OpenSSL, potentially allowing them to access usernames, password, or even the secret security keys of the server. Obtaining these keys can allow malicious users to observe all communications on that system, allowing further exploit.

Who is impacted by Heartbleed?

Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL versions 1.0.1 through 1.0.1f in that period is likely vulnerable to the Heartbleed Bug and should take immediate steps to remediate.

While there are some initial reports of attacks based on the Heartbleed vulnerability, these are preliminary reports and it should be noted that it is very difficult to determine if this attack has occurred in the past. Accordingly, even if an organization is not currently vulnerable, it may have been in the past and it should therefore take immediate steps to remediate if they have deployed the vulnerable OpenSSL versions.

Because some of Trend Micro’s products are using the affected OpenSSL version, these products are affected by this vulnerability. This article contains the list of products that are affected and the recommended action to take to eliminate the risks. Also included in this article is a list of products that are not affected by this vulnerability.

Details
Public

What Trend Micro products are affected?

Product/VersionComponent AffectedSeveritySolution/Additional Information
Deep Security 8.0, 9.0Deep Security Relay (DSR)Very LowCritical Patch
SafeSync for Enterprise 2.1Windows ClientNACritical Patch
Serverprotect for Linux (SPLX) 3.0Admin UIVery LowCritical Patch
Endpoint Application Control (TMEAC) 1.0Apache Tomcat web server packageLowCritical Patch
Portable Security (TMPS) 2.0Remote Communication ModuleLowCritical Patch
House Call 8.0SmartScanVery LowFixed through ActiveUpdate (AU)
InterScan Messaging Security Suite (IMSS) for Linux 7.1 SP1SmartScanVery LowCritical patch will be released on May 15
InterScan Messaging Security Virtual Appliance (IMSVA)  8.5 and 8.5 SP1SmartScanVery LowCritical patch will be released on May 15
OfficeScan (OSCE) 11.0*SmartScanVery LowCritical Patch
Titanium 7.0 and 7.2SmartScanVery LowFixed via Active Update (AU)
Worry Free Business Security (WFBS) 9.0*SmartScanVery LowRepacked full installer as well as Critical Patch 1439

Affected only if the server is configured to use SmartScan as the default scan method. When traditional scan is used, the product is not affected by the vulnerability.

What Trend Micro products are not affected?

ProductVersionAffected?Notes
Advanced Reporting and Management (ARM)1.0, 1.5, 1.6NoNot using OpenSSL 1.01~1.01f
Case Diagnostic Tool (CDT)2.0, 2.6NoNot using OpenSSL
Core Protection Module (CPM)1.6, 10.5, 10.6, 10.6 SP1, 10.6 SP2NoNot using OpenSSL 1.01~1.01f
Core Protection Module (CPM) for Mac1.1NoNot using OpenSSL 1.01~1.01f
CSC (Stargate)6.6NoNot using OpenSSL 1.01~1.01f
DDA (Deep Discovery Advisor)2.95, 3.0, 3.0 SP1, 3.1NoNot using OpenSSL 1.01~1.01f
DDI (Deep Discovery Inspector)3.0, 3.1, 3.2, 3.5, 3.6NoNot using OpenSSL 1.01~1.01f
Deep Edge 3001.5, 2.0, 2.1NoNot using OpenSSL 1.01~1.01f
Deep Security for Web Apps2NoNot using OpenSSL
Data Loss Prevention (DLP)3.1, 5.0, 5.2, 5.5, 5.6, 5.7NoNot using OpenSSL 1.01~1.01f
Email Security Platform for Service Providers - White Label3NoNot using OpenSSL 1.01~1.01f
eManager5.22, 5.5, 5.7, 6, 6.6, 6.7NoNot using OpenSSL
eManager(V6.8+)6.8, 7.0, 7.1, 7.5NoNot using OpenSSL 1.01~1.01f
Facebook Privacy Scan App (FPSA) NoNot using OpenSSL 1.01~1.01f
Hosted Email Security (IMHS)1.9, 2.0NoNot using OpenSSL 1.01~1.01f
HouseCall7.1NoNot using OpenSSL
HouseCall_OEM7.1 JPNoNot using OpenSSL
InterScan Gateway Security Appliance (IGSA)1.5(TW, JP)NoNot using OpenSSL 1.01~1.01f
IM Security1.5, 1.51NoNot using OpenSSL
InterScan Messaging Security Appliance (IMSA)7NoNot using OpenSSL 1.01~1.01f
InterScan Messaging Security Suite (IMSS)7.0, 7.0 SP1,7.1, 7.1 SP1 WinNoNot using OpenSSL 1.01~1.01f
InterScan Messaging Security Virtual Appliance (IMSVA)7.0, 8.0, 8.2NoNot using OpenSSL 1.01~1.01f
ISSS (Integrated Smart Scan Server)1NoNot using OpenSSL 1.01~1.01f
InterScan VirusWall (ISVW)7NoNot using OpenSSL 1.01~1.01f
ISVW for SMB7NoNot using OpenSSL 1.01~1.01f
iTIS2NoNot using OpenSSL
iTIS3NoNot using OpenSSL
iTMMS1NoNot using OpenSSL 1.01~1.01f
InterScan Web Security Appliance (IWSA)3.1 SP1NoNot using OpenSSL 1.01~1.01f
InterScan Web Security as a Service (IWSaaS)1.8NoNot using OpenSSL 1.01~1.01f
InterScan Web Security Suite (IWSS)3.1NoNot using OpenSSL 1.01~1.01f
InterScan Web Security Virtual Appliance (IWSVA)5.0, 5.1, 5.5, 5.6, 6.0(EN)NoNot using OpenSSL 1.01~1.01f
Licensing Management Portal (LMP) NoNot using OpenSSL
Network VirusWall Enforcer (NVWE)1.3(JP), 1.8(JP), 2.0 & SP1 ,3.0, 3.1(EN), 3.2(EN, JP)NoNot using OpenSSL 1.01~1.01f
OfficeScan (OSCE)8.0 SP1, 10, 10 SP1, 10.5, 10.6, 10.6 SP1, 10.6 SP2, 10.6 SP3NoNot using OpenSSL 1.01~1.01f
OfficeScan (OSCE) Toolbox1NoNot using OpenSSL 1.01~1.01f
PortalProtect2.0, 2.1NoNot using OpenSSL
PortalProtect2.0, 2.1NoNot using OpenSSL
ProtectLink1NoNot using OpenSSL 1.01~1.01f
Rootkit Buster NoNot using OpenSSL
SafeSync5NoNot using OpenSSL 1.01~1.01f
SafeSync for Business5.1NoNot using OpenSSL 1.01~1.01f
SafeSync for xSP2NoNot using OpenSSL 1.01~1.01f
SafeSync Mobile1.2NoNot using OpenSSL 1.01~1.01f
ScanMail for Exchange (SMEX)10, 10 SP1, 10.2, 10.2 SP2, 11NoNot using OpenSSL
ScanMail for IBM Domino (SMID)5.6NoNot using OpenSSL 1.01~1.01f
ScanMail for Lotus Domino (SMLD)3.0, 3.1, 5.0, 5.5NoNot using OpenSSL 1.01~1.01f
ScanMail Mobile Security for Exchange (SMMS)1NoNot using OpenSSL
SecureCloud2.0, 3.0, 3.5, 3.6NoNot using OpenSSL 1.01~1.01f
ServerProtect Windows/Netware (SPNT)5.7, 5.8NoNot using OpenSSL
Smart Protection Server (SPS)3.0NoNot using OpenSSL 1.01~1.01f
Smart Surfing1.6NoNot using OpenSSL
Threat Discovery Appliance (TDA)2, 2.5, 2.55, 2.6NoNot using OpenSSL 1.01~1.01f
Titanium/TISTitanium (6.x/5.x/3.x/2.x), TIS(17.x/16.x)NoNot using OpenSSL 1.01~1.01f
Control Manager (TMCM)5.5, 6.0, 6.0 SP1NoNot using OpenSSL 1.01~1.01f
TMDP (Direct Pass)1.36, 1.8, 1.9NoNot using OpenSSL
Endpoint Encryption (TMEE)5.5, 5.6, 5.7, 5.8NoNot using OpenSSL
Endpoint Encryption (TMEE) Data Armor3.0, 5.0NoNot using OpenSSL
Endpoint Encryption (TMEE) Drive Armor3.0, 5.0NoNot using OpenSSL
Endpoint Encryption (TMEE) File Armor3.0, 5.0NoNot using OpenSSL
Endpoint Encryption (TMEE) Key Armor3.0, 5.0NoNot using OpenSSL
Endpoint Encryption (TMEE) Policy Server3.1, 5.0NoNot using OpenSSL
Trend Micro Email Encryption Gateway (TMEEG)5, 5.5NoNot using OpenSSL 1.01~1.01f
Information Center (TMIC)2.5NoNot using OpenSSL 1.01~1.01f
Mobile Backup and Restore (MBR)1.2, 1.3.1, 1.4NoNot using OpenSSL 1.01~1.01f
Mobile Security (TMMS) for Cellcom2.1NoNot using OpenSSL 1.01~1.01f
Mobile Security (TMMS) for Consumer1.2, 2.0, 2.1, 2.2, 2.5, 2.6, 3.0, 3.1, 3.5, 5.05NoNot using OpenSSL
Mobile Security (TMMS) for Enterprise5.0, 5.1,5.5, 7.0, 7.1, 8.0, 9.0NoNot using OpenSSL 1.01~1.01f
Mobile Security (TMMS) for KDDI2.0, 2.1NoNot using OpenSSL
Mobile Security (TMMS) for NTTW2.0, 2.0.1NoNot using OpenSSL
Mobile Security (TMMS) for OEM2.1, 2.1.1, 2.2, 3.1, 3.5NoNot using OpenSSL
Online Guardian (TMOG)1.0, 1.5, 1.6,1.8NoNot using OpenSSL
Online Guardian (TMOG)-Server1NoNot using OpenSSL
Trend Micro Kids Safety Protection for PS31NoNot using OpenSSL
Trend Micro Longevity3NoNot using OpenSSL
Trend Micro Web Security for PS31NoNot using OpenSSL
Trend Secure - My Account NoNot using OpenSSL 1.01~1.01f
Worry-Free Business Security Standard/Advanced (WFBS)5.1, 6.0, 7.0, 8.0NoNot using OpenSSL 1.01~1.01f
WFMS2NoNot using OpenSSL 1.01~1.01f
Worry-Free Remote Manager (WFRM)2.5, 2.6, 3.0, 3.1NoNot using OpenSSL 1.01~1.01f

What if my product is not listed?

If the product has not reached End-of-Support, it is most likely that Trend Micro is still analyzing the vulnerability and it’s impact on your product. As soon as the analysis is completed, the product will be added in the list.

What if I have additional questions?

For additional inquiries, contact Trend Micro Technical Support.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1103084
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.