Here is what I received for the Dell Response to Openssl vulnerability.
After a couple of calls to technical support here is what I'm getting for my iDRAC7 getting flagged by Foundstone security scans for the vulnerability CVE-2014-0224:
" The OPEN SSL package used here contains multiple components, the component that is impacted and vulnerable is not being used, other components in this package are being used but aren't vulnerable".
"Dell has determined that the products listed in the attached document are not affected by the vulnerabilities. Some products have leveraged an older (but not vulnerable) OpenSSL module. These could be flagged by a scanner. Dell is currently working on updating the modules to a version that will not be flagged for these issues".
I've also attempted to upload the document, hopefully it can be viewed or downloaded.
Sorry, it is kind of confusing. We're not currently using the affected modules in OpenSSL, however, we are going to go ahead and update OpenSSL so it won't register that there is an issue. So we aren't being affected by the particular vulnerability, but we're going to use a newer version of the code anyway.
ChrisWat
8 Posts
1
August 14th, 2014 08:00
Here is what I received for the Dell Response to Openssl vulnerability.
After a couple of calls to technical support here is what I'm getting for my iDRAC7 getting flagged by Foundstone security scans for the vulnerability CVE-2014-0224:
" The OPEN SSL package used here contains multiple components, the component that is impacted and vulnerable is not being used, other components in this package are being used but aren't vulnerable".
"Dell has determined that the products listed in the attached document are not affected by the vulnerabilities. Some products have leveraged an older (but not vulnerable) OpenSSL module. These could be flagged by a scanner. Dell is currently working on updating the modules to a version that will not be flagged for these issues".
I've also attempted to upload the document, hopefully it can be viewed or downloaded.
If this post has helped you please rate it.
Thanks
[View:~/cfs-file.ashx/__key/communityserver-discussions-components-files/177/2376.Dell_2D00_ResponseOpenSSLSecurityAdvisory_5F00_05_5F00_June_5F00_2014_5F00_final.pdf:550:0]
TBD676
2 Posts
0
June 25th, 2014 07:00
Did DELL ever respond? We have the same issue..
DELL-Chris H
Moderator
•
9.7K Posts
0
June 25th, 2014 09:00
Surfarn,
We are researching the issue with engineering. I should have more information shortly. I apologize for the delay.
Topcat71
3 Posts
0
June 25th, 2014 10:00
I also have the issue. We're getting hammered on scans. Updated the DRAC firmware and the vulnerability still shows on the new reports.
CEggen
3 Posts
0
June 26th, 2014 09:00
any update on this today?
DELL-Chris H
Moderator
•
9.7K Posts
0
June 26th, 2014 12:00
I am awaiting a response now. Sorry again for the added delay. Thank you for being so patient while we research the issue.
Topcat71
3 Posts
0
June 26th, 2014 13:00
I ended up calling DELL and spoke to an engineer. They gave me the basic 'we're aware of the issue and working on a fix'.
t4r
1 Message
0
July 1st, 2014 09:00
Any updates on if this a confirmed issue or when a patch will released?
DELL-Chris H
Moderator
•
9.7K Posts
0
July 2nd, 2014 13:00
Sorry for the delay, and again thank you for being patient with me while researching the issue and putting together the information.
I have emailed each of you (Surfarn, Topcat71, CEggen, t4r , TBD676) individually with the results.
Let me know if this helps.
TBD676
2 Posts
0
July 3rd, 2014 05:00
Thanks Chris, the response is conflicting. iDRAC6 & earlier Affected = N, but a fix is on it's way..?
DELL-Chris H
Moderator
•
9.7K Posts
0
July 3rd, 2014 06:00
Sorry, it is kind of confusing. We're not currently using the affected modules in OpenSSL, however, we are going to go ahead and update OpenSSL so it won't register that there is an issue. So we aren't being affected by the particular vulnerability, but we're going to use a newer version of the code anyway.
Topcat71
3 Posts
0
July 3rd, 2014 09:00
Thank you Chris. I appreciate the follow-up.
PeteSav
2 Posts
0
July 9th, 2014 05:00
Yeah, Same Issue for us.
Our Nexpose scans are picking up "OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224)" vulneravbilities on our iDrac 7's
Has the new fix been released yet ?
Thanks
Pete.
samuel.a.rosari
1 Message
0
July 9th, 2014 06:00
Bob1902
1 Message
0
July 9th, 2014 19:00
Hi. Can you also email the information to me? Thanks.