OpenSSL Heartbleed Bug Vulnerability
Like many other companies, Quantum has been affected by the Heartbleed bug, a serious vulnerability in the popular OpenSSL cryptographic software library (more information at nist.gov). A number of Quantum products incorporate the OpenSSL software libraries to provide cryptographic capabilities. The OpenSSL releases 1.0.1 through 1.0.1f are affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve, up to 64 kilobytes of memory from a connected client or server using the Transport Layer Security (TLS). The vulnerability is due to a missing bounds check in the TLS Heartbeat Extension in OpenSSL.
Although a number of Quantum products are impacted, in nearly all cases there is no potential vulnerability to customer data traffic. Quantum is committed to providing timely product updates to remove the Heartbleed bug, and this advisory will be updated accordingly as we move forward.
Unaffected Quantum Products
The following Quantum products are known to be unaffected by the Heartbleed bug:
- Lattus A10
- Q-EKM
- SafeNet KIMP
- Scalar Key Manager
- Scalar LTFS
- StorNext File System
- StorNext Storage Manager
- StorNext Appliances
- Superloader3
- Vision
- vmPRO
Vulnerable Quantum Products
Versions of the following Quantum products are known to be vulnerable to the Heartbleed bug:
- DXi-Series (DXi-to-DXi replication only)
- Lattus (HTTPs management and data traffic)
- Scalar i6000 (management traffic)
- Scalar i500 (management & HTTPs UI traffic)
- Scalar i40 (management & HTTPs UI traffic)
- Scalar i80 (management & HTTPs UI traffic)
- StorNext Q-series (management traffic)
- Thales KMIP (KMIP service)
Impact
Product configuration that operate UI access in Hypertext Transfer Protocol Secure (HTTPs ) mode, or enables SMI-S support, could be vulnerable to the Heartbleed bug if the product actually encountered a malicious attack. This could cause disclosure of memory contents, product login and password information and secure communication certificates.
Software Versions and Fixes
Patches to Quantum software and firmware are in progress; please contact your Quantum service representative for the latest status on availability. In the meantime, Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) products available from third parties may have signatures available to stop an attack. Please contact your security product vendors for additional information.
References
- http://heartbleed.com/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
- https://www.openssl.org/news/secadv_20140407.txt
Contact Information
In US, call 800-284-5101. In Europe, call toll free +800-7826-8888 or direct +49 6131 3241 1164. You will need your system serial number. For additional contact information, please visit our service contact center.