Technical Bulletin: Heartbleed

Advisory: OpenSSL package / Heartbleed Extension Vulnerability


Dear Raritan Customers,

It was recently discovered that some Raritan products incorporate a version of the OpenSSL package affected by the Heartbleed Extension Vulnerability. The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension: heartbleed.com

As a precaution, Raritan has released new firmware versions that address this vulnerability. We recommend that you take the time to understand if your products are impacted. If they are, please upgrade your Raritan products according to the available F/W fixes.

Updates will be posted as information becomes available.

DESCRIPTION:

A critical security issue (CVE-2014-0160) was found in OpenSSL version 1.0.1 through 1.0.1f. Also, variably referred to as the Heartbleed or Heartbeat bug. The Heartbleed bug is in the implementation of the heartbeat TLS extension. See the Additional Comments section below for details.
 

ROOT CAUSE:

From heartbleed.com: What versions of OpenSSL are affected?
  • OpenSSL 1.0.1 through 1.0.1f (inclusive) ARE vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable
 

IMPACT ON RARITAN PRODUCTS:

Below is the list of Raritan products summarizing whether they are impacted or not (based on the OpenSSL version they are running):
 

 

Product

 

 

OpenSSL Version

 

 

Impact

 

 

Comment

 

Power IQ 4.1.2

Openssl-1.0.0-27.el6_4.2.x86_64

Not vulnerable

 

dcTrack 3.1.0

Openssl-0.9.8e-12.el5_5.7

Not vulnerable

 

DSX 3.4

OpenSSL 0.9.7m

Not vulnerable

 

CC-SG 5.4.0

Openssl-0.9.8e-12.el5_4.6

Not vulnerable

 

DKX2 2.6.0

Openssl-0.9.8

Not vulnerable

 

DKSXII,  DLX,  
DKX2-101-V2

Openssl-0.9.8

Not vulnerable

 

DPX1

OpenSSL 0.9.8

Not vulnerable

 

EMX2

openssl-1.0.1c

Vulnerable

Upgrade to Release 2.5.1

DPX2 2.4.x
BCM24xx
PXE

openssl-1.0.1c

Vulnerable

Upgrade to Firmware 2.5.30

DPX3/TS

openssl-1.0.1c

Vulnerable

Upgrade to Firmware 2.6.1

DKX III

openssl-1.0.1c

Vulnerable

Upgrade to Firmware 3.0.1

CC-SG 6.0

Openssl-1.0.1e-15.el6.x86_64

Vulnerable

Upgrade to Version 6.0.0

Recovery Procedure:

Raritan recommends that customers consult their security experts and take appropriate actions to recover from this vulnerability including installing new SSL certificates and changing passwords.

Submit a Support Ticket

Our tech support team is here to help you with any product related issue including bug and security vulnerabilities you may be experiencing. Please submit a ticket below.

Contact Tech Support