Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Networking Vendors Issue Heartbleed Fixes

The Heartbleed bug that came to light last week affected a huge swath of networking products, prompting vendors to issue alerts and updates.

Cisco on April 9 released a security advisory with a list of products affected by the OpenSSL vulnerability that included Nexus switches, Cisco IPS, and Teleprescence equipment.

A Cisco spokesperson said in an email to Network Computing Monday that the company is continuing to work on patches for some products, but that many more products are unaffected by Heartbleed or have already been remediated. He said customers should check back on the advisory for the latest updates.

Juniper also released a list of affected products, which included Junos OS 13.3R1 and certain versions of the company's SSL VPN. Nearly all of the products have been updated, a spokesperson said Monday.

"Every Juniper product affected by the Heartbleed vulnerability now has a fix available except for older versions of our Unified Access Control, which we expect to provide a patch for shortly. We continue to work closely with customers to help them update their systems," the spokesperson said in an email.

Other networking vendors that reported products affected by Heartbleed include F5, Fortinet and Aruba. Carnegie Mellon CERT published a list of vendor alerts and updates.

Networking expert Tom Hollingsworth of Gestalt IT said he knew vendors were trying to get patches out as quickly as possible, but wondered how many vendors didn't disclose they were using OpenSSL in their products.

Brian Monkman, perimeter security programs manager at ICSA Labs, wrote in a blog post Monday that while much of the focus in the wake of the Heartbleed bug has been on the hundreds of thousands of potentially vulnerable websites, less attention has been paid to potentially vulnerable network security products.

"To put this into perspective, ANY product that uses OpenSSL or one of its variants to create a secure connection is potentially at risk," he wrote. "This could mean, for example, a network firewall with an outward facing administrative interface that uses an HTTPS connection may be vulnerable, or a Web application firewall that has SSL termination functionality may also be vulnerable."

For an explanation of the overall impact of Heartbleed, check out this Dark Reading blog post by Tim Sapio, a security analyst at Bishop Fox, a security consulting firm.