"Heartbleed Bug" (CVE-2014-0160)

(imported topic written by WeylanWang)

For those searching for Official statements on the heartbleed Bug

An OpenSSL vulnerability was announced earlier this week in versions 1.0.1 and 1.0.2 of OpenSSL. This vulnerability is officially named “TLS heartbeat read overrun (CVE-2014-0160)” and has come to be colloquially named “The Heartbleed Bug”.

Affected Products and Versions

Platform 9.1.1065


SUA 9.1/SCA 1.4


OSD 3.3


Remote Control (TRC)

Unaffected Products

The following products are not affected by this vulnerability:

Mobile Device Management


Software Distribution


Server Automation


Patch Management


Power Management


Core Protection


Security Configuration Management

Official advisory :
http://www.openssl.org/news/secadv_20140407.txt

More details :
http://heartbleed.com

To see updates on how this vulnerability affects IEM applications, click either of the links below:

https://www.ibm.com/developerworks/community/blogs/a1a33778-88b7-452a-9133-c955812f8910/entry/security_bulletin_ibm_endpoint_manager_9_1_1065_openssl_vulnerability_update_cve_2014_0160?lang=en

http://www.ibm.com/support/docview.wss?uid=swg21670161

(imported comment written by MattPeterson)

Is there an ETA for when a new version will be released to address this?

(imported comment written by WeylanWang)

You will have to wait for an official statement from another source.

You will see in the forum that we know about an item. But not when it will be released in general because I don’t have that information to share and may not have the current plan.

You will see a note when it IS released if I have it. But you may see it sooner then I see it released because of my hours.

(imported comment written by AlanM)

The fix has been released and you should see upgrade fixlets available.

Please pay close attention to the announcement as you will need to take other actions other than just upgrading to completely close off any potential exposure.

(imported comment written by AlanM)

My comment applies to the Platform only, you should pay attention to other announcements for the other components