Security Bulletin – OpenSSL Heartbleed vulnerability
Security Bulletins ID:
SB10071
Last Modified: 5/4/2022
Last Modified: 5/4/2022
Summary
| Who Should Read This Document: | Technical and Security Personnel |
| Impact of Vulnerability: | Information Leak / Disclosure (CWE-717, OWASP 2004:A6) Cryptographic Issues - (CWE-310) |
| CVE Numbers: | CVE-2014-0160 |
| CERT/CC and Other Number: | US CERT VU#720951 |
| Severity Rating: | Medium |
| Base / Overall CVSS Score: | 5.0 / 3.9 |
| Recommendations: | Install the hotfixes listed below. Install the patches once they are released. Regenerate your private keys. Deploy new SSL certificates. Revoke old SSL certificates. |
| Security Bulletin Replacement: | None |
| Caveats: | None |
| Affected Software: |
See specific versions affected in the patch table below.
|
| Location of Updated Software: | Product Downloads site |
Description
Several products are vulnerable to OpenSSL Heartbleed. See the Product Vulnerability Status lists below for the status of each product.
The Heartbleed Bug
See the Heartbleed Bug site.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness can allow an attacker to steal information that is normally protected by the SSL/TLS encryption used to secure communications on the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read up to 64K of memory on systems using the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Only products that use the following versions of OpenSSL are vulnerable:
The Heartbleed Bug
See the Heartbleed Bug site.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness can allow an attacker to steal information that is normally protected by the SSL/TLS encryption used to secure communications on the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read up to 64K of memory on systems using the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Only products that use the following versions of OpenSSL are vulnerable:
- 1.0.1 beta 1 – beta 3
- 1.0.1
- 1.0.1.a – 1.0.1f
- 1.0.2 beta 1
This bug was introduced to OpenSSL in December 2011 and has been in production since OpenSSL release 1.0.1 on 14 March 2012. OpenSSL 1.0.1g, released on 7 April 2014, fixes the bug.
In addition to affecting servers, it has been reported that some clients are vulnerable as well. See What clients are proven to be vulnerable to Heartbleed.
Free Heartbleed Detection Tools:
Clients
A client test server to determine if a client (endpoint) is vulnerable is available GitHub.
A python script to check for vulnerable clients is available at GitHub.
CVE-2014-0160
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
CERT/CC Vulnerability Note VU#720951
OpenSSL heartbeat extension read overflow discloses sensitive information
http://www.kb.cert.org/vuls/id/720951
CWE-119
Weakness Class Improper Restriction of Operations within the Bounds of a Memory Buffer - (119)
http://cwe.mitre.org/data/definitions/119.html
Product Vulnerability Status
Not every version of the “vulnerable and updated” products are vulnerable.
Vulnerable and Updated
- Endpoint Intelligence Agent (EIA)
- ePolicy Orchestrator (ePO)
- ePO Deep Command (eDC)
- McAfee Email Gateway (MEG)
- McAfee Real Time for ePO (RTE)
- McAfee SECURE (MS) / Trustmark
- McAfee Security for Email Servers (MSES) / GroupShield
- McAfee Security for Lotus Domino (MSLD)
- McAfee Security for Microsoft Exchange (MSME)
- McAfee Security for Microsoft SharePoint (MSMS)
- McAfee Security Information and Event Management (SIEM) / Nitro
- McAfee Web Gateway (MWG)
- SaaS Email Protection and Continuity
- SaaS Web Protection
- VirusScan Enterprise for Linux (VSEL)
Not Vulnerable
- Advanced Threat Defense (ATD) / Network Threat Response (NTR)
- All 3rd Party Consumer Modules (Mozy, LastPass/SafeKey, Daon/Personal Locker)
- All Partner Custom products
- All Platform / Web products
- Anti-Malware Core (AMC)
- Anti-Malware Engine (AME)
- Anti-Spam Engine (ASE)
- AntiVirus Engine
- Artemis / GTI Cloud Server (CS) / GTI Private Cloud (File Reputation)
- CleanBoot
- Content Security Interlock (CSI)
- Content Security Reporter (CSR)
- Data Loss Prevention Endpoint (DLPe)
- Database Activity Monitoring (DAM)
- Database Vulnerability Manager (DVM)
- Deep Defender (DD)
- DeepSAFE
- Email and Web Security (EWS) / IronMail
- Endpoint Encryption for Files and Folders (EEFF)
- Endpoint Encryption for PCs (EEPC) / McAfee Drive Encryption (MDE)
- Endpoint Encryption for Removable Media – USB (EERM)
- Endpoint Encryption Manager (EEM)
- Enterprise Mobility Manager (EMM)
- Gateway Anti-Malware Engine (GAM)
- Global Threat Intelligence (GTI)
- Host Data Loss Prevention (HDLP)
- Host Intrusion Prevention Services (HIPS)
- Management for Optimized Virtual Environments (MOVE) AntiVirus
- McAfee Agent (MA) / Common Management Agent (CMA)
- McAfee Antivirus Plus (Consumer)
- McAfee Application Control (MAC)
- McAfee Asset Manager (MAM)
- McAfee Change Control (MCC)
- McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
- McAfee Embedded Control (MEC)
- McAfee Foundation Services (MFS)
- McAfee Home Network (MHN)
- McAfee Integrity Control (MIC)
- McAfee Mobile Security (MMS)
- McAfee Policy Auditor (MPA)
- McAfee Quarantine Manager (MQM)
- McAfee Risk Manager (MRM)
- McAfee Security for App Store- Cloud (MSAS)
- McAfee Security for Mac (MSM)
- McAfee Vulnerability Manager (MVM)
- McAfee Web Reporter (MWR)
- Mobile Cloud
- Network Access Control (NAC)
- Network Data Loss Prevention (NDLP)
- Network Security Platform (NSP) / Network Security Management (NSM)
- Network Threat Behavior Analysis (NTBA)
- Network User Behavior Analysis (NUBA)
- One Time Password (OTP) / Nordic Edge / Pledge
- Pre-Install Scanner
- SaaS Account Management (SAM)
- SaaS Email Archiving
- SaaS Endpoint Protection (SEP)
- Secure Container (Android and iOS)
- Site Advisor Enterprise (SAE)
- McAfee Web Protection (MWP) / SmartFilter
- Virus Scan Enterprise (VSE)
- VirusScan for Mac (VSMac)
- Whole Disk Encryption (WDE)
- Windows Systems Security (WSS)
Remediation
Go to the Product Downloads site and download the hotfix file:
|
Product
|
Type
|
Patch Version
|
File Name
|
Release Date
|
|
EDC
|
Hotfix
|
2.1 Hotfix 962199
|
imrsdk_HF962199.zip
|
April 22, 2014**
|
|
EIA
|
Patch
|
EIA 2.2.1
|
eia_epo_deploy_221.zip
|
April 16, 2014
|
|
ePO
|
Hotfix
|
4.6.x Hotfix 960279-2
|
EPOHF960279-2.zip
|
April 11, 2014 (* reposted April 15, 2014)
|
|
ePO
|
Hotfix
|
5.0.x Hotfix 960279-2
|
EPOHF960279-2.zip
|
April 11, 2014 (* reposted April 15, 2014)
|
|
ePO
|
Hotfix
|
5.1.0 Hotfix 960279-2
|
EPOHF960279-2.zip
|
April 11, 2014 (* reposted April 15, 2014)
|
|
MEG
|
Hotfix
|
MEG 7.5h960401 OpenSSL hotfix 2846.114
|
MEG-7.5h960401-2846.114.zip
|
April 11, 2014
|
|
MEG
|
Hotfix
|
MEG 7.6h960405 OpenSSL hotfix 2810.114
|
MEG-7.6h960405-2810.114.zip
|
April 11, 2014
|
| MS | Patch | N/A | This service was patched by our partner PathDefender. | April 22, 2014 |
|
MSLD / MSDW
|
Patch
|
MSDW 7.5 Patch 2
|
HF961473
|
April 30, 2014
|
|
MSME
|
Hotfix
|
7.6 Rollup 2 (Hotfix 961473) |
HF961473
|
April 28, 2014
|
|
MSME
|
Patch
|
8.0 Patch 1 |
HF961473
|
April 25, 2014
|
|
MSMS
|
Hotfix
|
3.0 Hotfix HF961473
|
HF961473
|
April 30, 2014
|
|
MWG
|
Patch
|
7.3.2.8
|
mwgappl-7.3.2.8.0-17286.x86_64.* (use Yum)
|
April 10, 2014
|
|
MWG
|
Patch
|
7.4.1.3
|
mwgappl-7.4.1.3.0-17293.x86_64.* (use Yum)
|
April 10, 2014
|
|
OTP
|
Config
|
See recommendations below
|
N/A
|
N/A
|
|
Real Time for ePO
|
Hotfix
|
1.0.3 Hotfix (Build 104)
|
MRTBase.zip
MRTServer 1.0.3 HF.zip |
April 14, 2014
|
|
Saas Email
|
Hotfix
|
SaaS Email was dependent upon MWG.
|
Used the MWG patch
|
April 12, 2014
|
|
Saas Web
|
Hotfix
|
SaaS Email was dependent upon MWG.
|
Used the MWG patch
|
April 12, 2014
|
| SIEM |
Hotfix
|
9.1.4 20140408 (HF2)
|
Use the standard upgrade files for each SIEM device you own.
|
April 8, 2014
|
| SIEM |
Hotfix
|
9.1.4 20140408 (HF2)
|
Use the standard upgrade files for each SIEM device you own.
|
April 8, 2014
|
| SIEM |
Hotfix
|
9.1.4 20140408 (HF2)
|
Use the standard upgrade files for each SIEM device you own.
|
April 8, 2014
|
| SIEM |
Hotfix
|
9.4.0 beta1 HF1
|
Use the standard upgrade files for each SIEM device you own.
|
April 8, 2014
|
| VSEL | Hotfix | 1.7.1 Hotfix 961964 | McAfeeVSEForLinux-1.7.1.28698-HF961964.tar.gz | April 22, 2014 |
| VSEL | Hotfix | 1.9 Hotfix 960962 | McAfeeVSEForLinux-1.9.0.28822-HF960962-release.tar.gz | April 22, 2014 |
| VSEL | Hotfix | 2.0 Hotfix 960961 | McAfeeVSEForLinux-2.0.0.28948-HF960961-release.tar.gz | April 22, 2014 |
**eDC Hotfix 962199 was posted to ePO Software Manager.
In addition to installing the updates, the following actions are highly recommended:
Regenerate private keys and upgrading SSL certificates
In addition to installing the updates, the following actions are highly recommended:
Regenerate private keys and upgrading SSL certificates
This OpenSSL vulnerability creates the possibility that malicious attackers could extract private keys from an SSL server.
Customers who are using our appliances or products with the SSL feature should re-generate the private keys and SSL certificates and revoke the old certificates ASAP.
You will need to follow the process outlined by your certificate provider to re-issue your certificate using a new private key. After you have re-generated your key and certificate, you must update the certificate on our products.
Appliances, especially those that have hardcoded service accounts or special user accounts for updates, should ensure that users cannot login remotely or change the credentials.
Product Specific Notes:
ePO:
See the ReadMe file associated with the hotfix.
The hotfix should be installed to the ePO server and any remote Agent Handlers where the ssleay32.dll file version is earlier than 1.0.1.7.
If you install the hotfix then upgrade to another affected version of ePO, you must apply the hotfix again.
FIPS 140-2 installs of ePO are not vulnerable. These updates will not install in FIPS mode.
Customers who have already installed the original Hotfix 960279 and have verified their install per instructions in the release notes do not need to install the new re-posted hotfix. The only difference is that the 32-bit and 64-bit versions have been separated.
NOTE: Remote Agent Handlers are not affected by this install path issue.
The hotfix should be installed to the ePO server and any remote Agent Handlers where the ssleay32.dll file version is earlier than 1.0.1.7.
If you install the hotfix then upgrade to another affected version of ePO, you must apply the hotfix again.
FIPS 140-2 installs of ePO are not vulnerable. These updates will not install in FIPS mode.
Customers who have already installed the original Hotfix 960279 and have verified their install per instructions in the release notes do not need to install the new re-posted hotfix. The only difference is that the 32-bit and 64-bit versions have been separated.
NOTE: Remote Agent Handlers are not affected by this install path issue.
MSME, MSMS, MSDW, MSES:
McAfee Security for Microsoft Exchange (MSME), McAfee Security for Microsoft SharePoint (MSMS), McAfee Security for Lotus Domino (MSLD), and McAfee Security for Email Servers (MSES) / GroupShield can be vulnerable. They include Postgres 8.4.13, which includes OpenSSL 1.0.1f.
By default, the Postgres installation has SSL disabled. There is not an easy way for an admin enable SSL, but if it is enabled, then Postgres is vulnerable.
HotFix HF961473 updates all of these products to patch the vulnerability.
By default, the Postgres installation has SSL disabled. There is not an easy way for an admin enable SSL, but if it is enabled, then Postgres is vulnerable.
HotFix HF961473 updates all of these products to patch the vulnerability.
OpenSSL library update (#106380)
The OpenSSL library has been updated to version 1.0.1g to address the issue listed in CVE-2014-0160. The engine uses vulnerable OpenSSL routines only for its TLS management communications and cluster communications between the cluster nodes. Workaround: If you use the default template from dynamic update package 575 or newer, engine exposure is limited, as connections to vulnerable TLS endpoints are allowed only from the Management Server IP address.
One Time Password (OTP) / Nordic Edge / Pledge
None of the OTP or NordicEdge product servers are vulnerable; however some customer installations (not OTP server) include an Apache web server. The version installed by us would not be vulnerable, but if you have upgraded them yourselves, then they might have become vulnerable.
If new certificates and key pairs have been created as a precaution, then given the high level of assurance OTP’s provide, it would be prudent to re-enroll users. Do this by having all users regenerate their Pledge profiles – so if you have Pledge on your PC and mobile device, then you would need to do both. It’s only the enrollment process and the initial download by the client that is affected, but this issue has been in the wild for a long time.
Additionally the administrator can get in over HTTPS to the service to administer it.
For admins: Change your password
For users: Re-enroll on PCs and mobile devices
SaaS Email and SaaS Web:
SaaS Email Protection and Continuity and SaaS Web Protection both sit on top of MWG. MWG was the vulnerable product. The MWG patch was deployed, which fixed the SaaS Email and SaaS Web products.
VSEL
The VirusScan Enterprise Linux hotfixes update the OpenSSL package to address the below vulnerabilities:
- CVE-2010-5298 OpenSSL SSL_MODE_RELEASE_BUFFERS vulnerability
- CVE-2014-0160 - Heartbleed leaking private keys
IMPORTANT: We strongly recommend that you reset the VirusScan Enterprise for Linux administrator password after applying this Hotfix.
Intel® Products
“Multiple Intel Software Products and API Services impacted by CVE-2014-0160”
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00037&languageid=en-fr
Product download instructions:
- Launch Internet Explorer.
- Go to Product Downloads site.
- Provide your valid grant number.
- Click your product suite.
- Click the applicable product (see table above) and click I Agree.
- Click the Patches tab and click the link to download the product .ZIP file under the Product column.
For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and Installation Guide for instructions on how to install these updates. All documentation is available at our Product Documentation site.
Workaround
There is no workaround. Only a recompile of the affected products with the non-vulnerable version of OpenSSL (1.0.1g (or later) or 1.0.2 beta 2 (or later)) or with the -DOPENSSL_NO_HEARTBEATS compiler flag set can fix this vulnerability.
Some customers are turning off outbound TLS. This keeps information from leaking; however encrypted SSL traffic is disabled.
Mitigations:
Several products have signatures to help mitigate this vulnerability. These include:
Some customers are turning off outbound TLS. This keeps information from leaking; however encrypted SSL traffic is disabled.
Mitigations:
Several products have signatures to help mitigate this vulnerability. These include:
- SIEM
- Heartbleed mitigation rules for the NitroSecurity IPS / McAfee NTP available for download via the SIEM rule server. They stop heartbleed requests from entering your network.
- Setup the ACL feature restricting web acces
- NSP – Network Security Platform
- Network detection signature – a UDS
Download the latest content for each and enable the checks if they are not enabled by default.
Acknowledgements
No acknowledgement due.
We were given no prior knowledge of this vulnerability (zero-day). It was announced late Monday, April 7, 2014. See the Heartbleed Bug site.
We were given no prior knowledge of this vulnerability (zero-day). It was announced late Monday, April 7, 2014. See the Heartbleed Bug site.
Frequently Asked Questions (FAQs)
What is affected by this security vulnerability?
eDC – ePO Deep Command:
Affected Versions:
eDC – ePO Deep Command:
Affected Versions:
- 1.5
- 2.0
- 2.1
Protected Versions:
- Update the Imrsdk.dll on ePO 4.6.x, 4.7.x, and 5.x.x servers.
NOTE: Imrsdk.dll is Intel® Active Management Technology Redirection SDK Library; ePO Deep Command uses this library.
EIA – Endpoint Intelligence Agent:
Affected Versions:
Affected Versions:
- NIA 1.0
- NIA 1.0.1
- EIA 2.0.0
- EIA 2.1.0
- EIA 2.2.0
Protected Versions:
- EIA 2.2.1 or later
NOTE: Network Integrity Agent (NIA) later changed its name to Endpoint Intelligence Agent (EIA).
ePO - ePolicy Orchestrator
Affected Versions:
ePO - ePolicy Orchestrator
Affected Versions:
- 4.5.7
- 4.6.5 - 4.6.7
- 5.0.0 - 5.0.1
- 5.1.0
Protected Versions:
- 4.5.6 and earlier
- 4.6.0 – 4.6.4*
- 4.6.x universal hotfix
- 5.0.x universal hotfix
- 5.1.x universal hotfix
NOTES:
- ePO 4.5 ended support on December 31st 2013. The recommended path to protect your systems from this vulnerability is to upgrade to one of the protected, supported versions.
- Some hotfixes for ePO 4.6.0 – 4.6.4 included a vulnerable version of OpenSSL. If you applied an ePO hotfix that upgraded Apache, please use the instructions in Product specific notes above to verify whether your server is affected.
MEG – Email Gateway:
Affected Versions:
- 7.5
- 7.6
Protected Versions:
- EWS 5.6.x and earlier
- 6.7.2 (IronMail)
- 7.0.x and earlier
- 7.5 Hotfix 960401
- 7.6 Hotfix 060405
MWG – Web Gateway:
Affected Versions:
- MWG 7.3.x
- MWG 7.4.x
Protected Versions:
- 7.1.x
- 7.2.x
- 7.3.2.8 or later
- 7.4.1.3 or later
Security for Lotus Domino Windows:
- 7.5
- 7.5 Patch 2 (HF961473) or later
Security for Microsoft Exchange:
Affected Versions:
- 7.6
- 8.0
- 7.6 Rollup 2 (HF961473) or later
- 8.0 Patch 1 (HF961473) or later
Security for Microsoft SharePoint:
Affected Versions:
- 3.0
- 3.0 Hotfix HF961473 or later
SIEM:
Affected Versions:
- 9.1.x
- 9.2.x
- 9.3.x
- 9.4.0 beta
Protected Versions:
- 9.1.4 HF2 (20140408) or later
- 9.2.2 HF5 (20140408) or later
- 9.3.2 HF7 (20140408) or later
- 9.4.0 beta1 HF1
Affected Versions:
- 1.7.1
- 1.8
- 1.9
- 2.0
- 1.7.0
- 1.7.1 Hotfix 961964 or later
- 1.9 Hotfix 960962 or later
- 2.0 Hotfix 960961 or later
We recommend that all customers verify that they have applied the latest updates.
How do I know if my product is vulnerable?
Check your product version against those in the FAQ section above.
For Endpoint products:
Use the following instructions for endpoint or client based products:
- Right-click on the McAfee tray shield icon on the Windows task bar.
- Select Open Console.
- In the console, click Action Menu.
- In the Action Menu, click Product Details.
- The product version is displayed.
For ePO and Server products:
Use the following instructions for server based products:
Use the following instructions for server based products:
- Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
For ePO integrated products:
Use the following instructions for server based products:
Use the following instructions for server based products:
- Create a query in ePO for the product version of the product installed within your organization.
For Appliance based products:
Use the following instructions for Appliance based products:
Use the following instructions for Appliance based products:
- Open the Administrator's User Interface (UI).
- Click the About link.
- The product version is displayed.
What is CVSS?
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website.
What are the CVSS scoring metrics that have been used?
CVE-2014-2587
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, please visit the CVSS website.
What are the CVSS scoring metrics that have been used?
CVE-2014-2587
| Base Score | 5.0 |
| Related exploit range (AccessVector) | Network |
| Attack complexity (AccessComplexity) | Low |
| Level of authentication needed (Authentication) | None |
| Confidentiality impact | Partial |
| Integrity impact | None |
| Availability impact | None |
| Temporal Score | 3.9 |
| Availability of exploit (Exploitability) | Proof of concept code |
| Type of fix available (RemediationLevel) | Official fix |
| Level of verification that vulnerability exists (ReportConfidence) | Confirmed |
NOTES:
- CERT/CC assigned a CVSS base score of 6.4 (http://www.kb.cert.org/vuls/id/720951).
- CVSS version 2.0 vector was used to generate this score: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:OF/RC:C)
What have you done to resolve the issue?
We've released several product updates to address this security flaw.
Where do I download the fix?
Download the fix from the Product Downloads site. You will need to provide a valid gran number to initiate the download.
Where can I find a list of all Security Bulletins?
All Security Bulletins are published on our Knowledge Center. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to you?
If you have information about a security issue or vulnerability with a product, follow the instructions provided in KB95563 - Report a vulnerability.
How do you respond to this and any other reported security flaws?
Our key priority is the security of our customers. If a vulnerability is found within any of our software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.
We only publish Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.
To view our PSIRT policy, see KB95564 - About PSIRT.
Resources
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall we or our suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if we or our suppliers have been advised of the possibility of such damages. Some states don't allow the exclusion or limitation of liability for consequential or incidental damages, so the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remain at our sole discretion and may be changed or canceled at any time.
