Entrust Certificate Services SSL Certificate Support

OpenSSL Security Vulnerability CVE-2014-0224

June 5, 2014

On June 5, 2014, the OpenSSL team released a security advisory (https://www.openssl.org/news/secadv_20140605.txt) that includes an SSL/TLS man-in-the-middle vulnerability (CVE-2014-0224). This vulnerability allows an attacker able to modify traffic between a vulnerable SSL client and vulnerable SSL server to cause them to agree on weak SSL keys. The attacker can then read and manipulate the SSL traffic.

Entrust is currently investigating the impact of this vulnerability on its products. The following products are known to contain OpenSSL:

  • IdentityGuard ISAPI Filter
  • GetAccess Runtimes
  • Discovery Agent
  • Entelligence Messaging Server
  • TransactionGuard

The following products do not contain OpenSSL, but may make use of platform-supplied libraries that contain OpenSSL:

  • IdentityGuard Mobile for Android
  • IdentityGuard Mobile SDK for Android
  • IdentityGuard Mobile Smart Credential for Android
  • IdentityGuard Mobile Smart Credential SDK for Android

Entrust products may be deployed in conjunction with third-party software such as web servers that may contain OpenSSL. Customers should check with vendors of such third-party software to determine whether they are impacted and whether security updates are available.

Please note that the presence of OpenSSL in a particular product does not necessarily indicate that the product is vulnerable to attack. Additional information on the status of each product listed above will be provided as Entrust’s investigation proceeds.

Entrust customers are urged to implement the changes described in the Corrective Action section below.

Impact of Vulnerability:
The impact of the OpenSSL vulnerability on Entrust’s products is currently being investigated. This bulletin will be updated as this investigation proceeds.

Mitigating Factors:
There are no known cases involving the exploitation of this vulnerability among Entrust’s customers.

Corrective Action:
Corrective action for affected products will be provided as the investigation proceeds.

Entrust products may be deployed in conjunction with third-party software such as web servers that may contain OpenSSL. Customers should check with vendors of such third-party software to determine whether they are impacted and whether security updates are available.

Support:
Entrust customer support is available by phone at our regular support numbers.