OpenSSL Heartbleed Bug Vulnerability


Heartbleed 

Like many other companies, Quantum has been affected by the Heartbleed bug, a serious vulnerability in the popular OpenSSL cryptographic software library (more information at nist.gov). A number of Quantum products incorporate the OpenSSL software libraries to provide cryptographic capabilities. The OpenSSL releases 1.0.1 through 1.0.1f are affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve, up to 64 kilobytes of memory from a connected client or server using the Transport Layer Security (TLS). The vulnerability is due to a missing bounds check in the TLS Heartbeat Extension in OpenSSL.

Although a number of Quantum products are impacted, in nearly all cases there is no potential vulnerability to customer data traffic. Quantum is committed to providing timely product updates to remove the Heartbleed bug, and this advisory will be updated accordingly as we move forward.


Unaffected Quantum Products

The following Quantum products are known to be unaffected by the Heartbleed bug:


Vulnerable Quantum Products

Versions of the following Quantum products are known to be vulnerable to the Heartbleed bug:


Impact

Product configuration that operate UI access in Hypertext Transfer Protocol Secure (HTTPs ) mode, or enables SMI-S support, could be vulnerable to the Heartbleed bug if the product actually encountered a malicious attack. This could cause disclosure of memory contents, product login and password information and secure communication certificates.
 

Software Versions and Fixes

Patches to Quantum software and firmware are in progress; please contact your Quantum service representative for the latest status on availability. In the meantime, Intrusion Prevention Systems (IPS) and Intrusion Detection Systems (IDS) products available from third parties may have signatures available to stop an attack. Please contact your security product vendors for additional information.
 

References

Contact Information

In US, call 800-284-5101. In Europe, call toll free +800-7826-8888 or direct +49 6131 3241 1164. You will need your system serial number. For additional contact information, please visit our service contact center.