M06d321f0fb5a408ea76adfa0b482e2495
mobile
  • Select A Region
    Choose A Region
  • Login
  • About Us
 
Blog Support About Us Contact Us Raritan EU Raritan AP Raritan JP

Technical Bulletin: Heartbleed

Advisory: OpenSSL package / Heartbleed Extension Vulnerability


Dear Raritan Customers,

It was recently discovered that some Raritan products incorporate a version of the OpenSSL package affected by the Heartbleed Extension Vulnerability. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension: heartbleed.com

As a precaution, Raritan has released new firmware versions which address this vulnerability. We recommend that you take the time to understand if your products are impacted. If they are, please upgrade your Raritan products according to the available F/W fixes.

Updates will be posted as information becomes available.

DESCRIPTION:

A critical security issue (CVE-2014-0160) was found in OpenSSL version 1.0.1 through 1.0.1f. Also, variably referred to as the Heartbleed or Heartbeat bug. The Heartbleed bug is in the implementation of the heartbeat TLS extension. See Additional Comments section below for details.
 

ROOT CAUSE:

From heartbleed.com: What versions of OpenSSL are affected?
  • OpenSSL 1.0.1 through 1.0.1f (inclusive) ARE vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable
 

IMPACT ON RARITAN PRODUCTS:

Below is the list of Raritan products summarizing whether they are impacted or not (based on openSSL version they are running):
 

 

Product

 

 

OpenSSL Version

 

 

Impact

 

 

Comment

 

Power IQ 4.1.2

Openssl-1.0.0-27.el6_4.2.x86_64

Not vulnerable

 

dcTrack 3.1.0

Openssl-0.9.8e-12.el5_5.7

Not vulnerable

 

DSX 3.4

OpenSSL 0.9.7m

Not vulnerable

 

CC-SG 5.4.0

Openssl-0.9.8e-12.el5_4.6

Not vulnerable

 

DKX2 2.6.0

Openssl-0.9.8

Not vulnerable

 

DKSXII,  DLX,  
DKX2-101-V2

Openssl-0.9.8

Not vulnerable

 

DPX1

OpenSSL 0.9.8

Not vulnerable

 

EMX2

openssl-1.0.1c

Vulnerable

Upgrade to Release 2.5.1

DPX2 2.4.x
BCM24xx
PXE

openssl-1.0.1c

Vulnerable

Upgrade to Firmware 2.5.30

DPX3/TS

openssl-1.0.1c

Vulnerable

Upgrade to Firmware 2.6.1

DKX III

openssl-1.0.1c

Vulnerable

Upgrade to Firmware 3.0.1

CC-SG 6.0

Openssl-1.0.1e-15.el6.x86_64

Vulnerable

Upgrade to Version 6.0.0

Recovery Procedure:

Raritan recommends that customers consult their security experts and take appropriate actions to recover from this vulnerability including installing new SSL certificates and changing passwords.