Advisory: OpenSSL package / Heartbleed Extension Vulnerability
Dear Raritan Customers,
It was recently discovered that some Raritan products incorporate a version of the OpenSSL package affected by the Heartbleed Extension Vulnerability. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension: heartbleed.com
As a precaution, Raritan has released new firmware versions which address this vulnerability. We recommend that you take the time to understand if your products are impacted. If they are, please upgrade your Raritan products according to the available F/W fixes.
Updates will be posted as information becomes available.
A critical security issue (CVE-2014-0160) was found in OpenSSL version 1.0.1 through 1.0.1f. Also, variably referred to as the Heartbleed or Heartbeat bug. The Heartbleed bug is in the implementation of the heartbeat TLS extension. See Additional Comments section below for details.
: What versions of OpenSSL are affected?
- OpenSSL 1.0.1 through 1.0.1f (inclusive) ARE vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
IMPACT ON RARITAN PRODUCTS:
Below is the list of Raritan products summarizing whether they are impacted or not (based on openSSL version they are running):
Power IQ 4.1.2
Upgrade to Release 2.5.1
Upgrade to Firmware 2.5.30
Upgrade to Firmware 2.6.1
Upgrade to Firmware 3.0.1
Upgrade to Version 6.0.0
Raritan recommends that customers consult their security experts and take appropriate actions to recover from this vulnerability including installing new SSL certificates and changing passwords.