Loading...

Knowledge Center


Email and Web Security/Email Gateway response to multiple OpenSSL vulnerabilities (Vulnerable)
Technical Articles ID:   KB82121
Last Modified:  3/1/2017
Rated:


Environment

McAfee Email and Web Security (EWS) 5.6
McAfee Email Gateway (MEG) 7.6

Problem

The following vulnerabilities have been reported as present in the version of OpenSSL used by EWS 5.6 and MEG 7.6:
  • SSL/TLS MITM vulnerability (CVE-2014-0224)
  • DTLS recursion flaw (CVE-2014-0221)
  • DTLS invalid fragment vulnerability (CVE-2014-0195)
  • SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
  • SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
  • Anonymous ECDH denial of service (CVE-2014-3470)
  • Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" (CVE-2014-0076)
NOTE: For information on the scope of these vulnerabilities, see SB10075.

Solution

Email Gateway 7.6
This issue was resolved in MEG 7.6.2 and is fixed in all later versions. This version reached End of Life on October 30, 2016. For best results, upgrade to a supported version. See KB85857.


Email and Web Security 5.6
This issue was resolved in Hotfix EWS-5.6h973308, which is available from the Product Downloads site.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.