back to article Top ten biz software vendors reveal Heartbleed exposure

The advent of the Heartbleed Open SSL vulnerability has enterprise software development teams scrambling to figure out if they have a problem, and the news is not always good. Vulture South has ploughed through the recently updated list of the world's top 10 software vendors. Here's how each fares. Microsoft is chilling out …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Just think of all those landfill firewall routers and modems out there...

    My WRT54G just ran into the lead pipe in the Library.

    1. Trevor_Pott Gold badge

      Re: Just think of all those landfill firewall routers and modems out there...

      Shame, there are plenty of good open source OSes you could run a 54G that would be just fine.

      Also: why would you care if your router has an SSL vulnerability? Are you insane enough to leave it's management port open to the WAN? Why the fnord would you do that? Get a real OS on the damned thing, then you can VPN in to your home network for administrative tasks instead of leaving the henhouse tied up with a piece of string and a blinking neon sign visible from space advertising said fact to the local wolves.

      1. dan1980

        Re: Just think of all those landfill firewall routers and modems out there...

        I'm with Trevor - the WRTG54g is pretty much the poster child of alternative firmware!

        Hell - the two most popular lines of alternate firmware - DD-WRT and OpenWRT were originally developed for that device, hence the names!

        Well, unless of course you have that one bastard model where Linksys skimped on flash memory.

        While Trevor proposes a valid solution for managing your router remotely without leaving it open on the WAN, I have to wonder why anyone really needs to manage a home router remotely anyway. I mean, there's not much you can usefully accomplish by being able to remotely administer your home router by itself.

        If you're already remote controlling your PC then you've also already got access to your router. If you don't have remote access to your PC, what's so important on the router that you need to control remotely?

        A corporate router is a different matter but a home one?

        Sorry - just thinking out loud . . .

      2. JCitizen
        Coffee/keyboard

        Re: Just think of all those landfill firewall routers and modems out there...

        @Trevor_Pot - you said,"Are you insane enough to leave it's management port open to the WAN?"

        What about when you access your router on the LAN side? I use SSL to do that too - their could be MITM malware on one of the computers in the LAN. I always assume compromise everywhere.

        1. Trevor_Pott Gold badge

          Re: Just think of all those landfill firewall routers and modems out there...

          Welp, then you've got bigger problems then someone changing your bittorrent ports.

  2. bigphil9009

    Strange Article

    Perhaps issued in a rush (and understandably so!), this article is not of the usual quality found here - full of typos and Citrix is mentioned twice as being in trouble when the linked article says only one of the nine products are affected. The affected product needs sorting, sure, but it's not as bad as the article makes out...

    1. Anonymous Coward
      Anonymous Coward

      Re: Strange Article

      The point it makes is that you have to test ALL your products for Heartbleed. Whilst the media focus and IT has been primarily focused on the Internet facing applications, there are far more than this. Most vendors use encryption to transfer data - anti-virus, monitoring agents, backup products - you name it, it's probably got OpenSSL in it.

      You need to get hold of publicly available scripts - prove to yourselves that they are giving good results (no false positive/negatvies) and then scan the products in your estate, not just those web servers listening on 443.

      This problem is much bigger than you think it is.

  3. Steve K

    Update

    Oracle published OpenSSL Security Bug-Heartbleed (Doc ID 1645479.1) yesterday

    Steve

  4. Fortycoats
    Pint

    EMC link works

    I tried the EMC link, and after logging with my EMC Support account I can read the KB article.

    Basically, only a few products are affected. Mainly Syncplicity and Powerpath (??), as well as some beta versions of Avamar ADS and DD Boost. I was worried about ESRS Remote Support Gateway, but that doesn't use a vulnerable version of OpenSSL, so I can relax a bit, and enjoy a pint this evening.

  5. NogginTheNog

    Other devices

    I was wondering yesterday about such things as server remote management boards like the HP ILOs and Dell DRACs. I'm guessing they use some form of embedded Linux, so I wonder if a) they're vulnerable, and b) we'll ever get told?!

  6. Anonymous Coward
    Anonymous Coward

    HP SIM is affected

    HP SIM is affected

    HP Systems Insight Manager product and HP SIM agents deployed on end-point servers are vulnerable - and there is no fix from HP.

    Testing, using proven, publicly available scripts to test for Heartbleed, have shown this product and the agents to be vulnerable.There are no HP SIM products currently available from HP that don't have this bug.

    Regressing to a previous down-level version of SIM does not help, as this would re-introduce other known vulnerabilities (unrelated to OpenSSL).

    It may be possible on Linux to re-direct the binaries that HP ship with SIM to a non-vulnerable version of OpenSSL. HP SIM on Windows is proving will more of a challenge....

    The response from HP on this has been extremely poor - no acknowledgement of the issue, and no available fix.

  7. Squander Two

    Midnight oil?

    Thank fuck none of these firms are based in France.

  8. Truth4u

    So what's going to happen

    in a months time will we all start seeing money disappearing from accounts and stuff? What if it happens to millions of people? Is it time to start cracking heads?

  9. Anonymous Coward
    Anonymous Coward

    They Couldn't Be Bothered

    I've notified 3 well-known British companies so far their websites were vulnerable.

    AND THEY DON'T CARE. THEY HAVEN'T PATCHED. THEY WILL PROBABLY NEVER PATCH.

    1. Martin-73 Silver badge

      Re: They Couldn't Be Bothered

      If they still haven't patched, name and shame?

  10. JCitizen
    Coffee/keyboard

    Cisco and Juniper as well!

    Can we expect the "Top 10 hardware vendors" next?

  11. Anonymous Coward
    Anonymous Coward

    Something old, something not compiled

    The websites that I worry about are safe: they either use a pre-heartbleed version of OpenSSL or built it from source without the heartbeat option. (Whew!)

  12. Anonymous Coward
    Anonymous Coward

    HP Server division finally posted an update

    http://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04239413

    Still no fixes, but at least the list of apps are affected.

    Something I have been reminding my customers is that most of the Management software should be internal only anyway, and if their network is compromised to the point of letting someone attack their blade chassis or SMH, Heartbleed is not their top priority.

This topic is closed for new posts.

Other stories you might like