Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SafeSync for Enterprise (SSFE) 2.1 OpenSSL vulnerability CVE-2014-0160 (Heartbleed)

    • Updated:
    • 18 Jun 2014
    • Product/Version:
    • SafeSync for Enterprise 2.1
    • Platform:
    • N/A N/A
Summary
Learn how SSFE is affected by the OpenSSL vulnerability and the possible resolution to address the issue.
Details
Public
A vulnerability involving the Heartbleed extension of OpenSSL has been released. This vulnerability, dubbed as the Heartbleed Bug, exists on all OpenSSL implementations that use the Heartbeat extension. When exploited on a vulnerable server, it enables an attacker to read a portion—up to 64 KB’s worth—of the computer’s memory at a time, without leaving any traces.
To know more about the OpenSSL vulnerability, refer to the Trend Micro article: Skipping a Heartbeat: The Analysis of the Heartbleed OpenSSL Vulnerability.
Who are affected?
1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
SSFE PDG has confirmed that only the SSFE Windows client is affected by this vulnerability and was assigned a “LOW” risk level. The following statements explain this finding.
  • The SSFE server has two external listening ports: Port 443 (User Portal) and Port 3443 (Management Console). Both components are handled by Perlbal and the integrated OpenSSL library does not have CVE-2014-0160 HeartBleed vulnerability.
  • The SSFE Windows client uses OpenSSL 1.0.1e to communicate with the server, but the SSFE Windows application is a passive client program and does not build up any HTTPS service to receive requests. So it is marked as a "LOW" risk vulnerability.
  • The SSFE Android app uses OpenSSL 1.0.1e but only to encrypt files. It is not used for any connection or communication process.
Fix Availability
SSFE 2.1 Critical Patch Build 1331 is now available in Download Center. This updates OpenSSL to version 1.0.1g to resolve the vulnerability CVE-2014-0160 in Windows agents. Refer to the ReadMe file for the installation procedure and pre-requisites.
A new SSFE Android app build 1101 has been published in Google Play that also upgrades the OpenSSL version to 1.0.1g.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1103222
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.