SSL/TLS Authentication Gap – Status of Patches
Because this vulnerability is present in the SSL/TLS protocol itself, all SSL implementations will need to be patched. Software vendors will have to update their software to use the revised libraries, and users should apply any software updates as they become available.
This page has been created as a convenience for IT professionals to track availability of these patches. It is not intended to replace or supersede any direct communications from vendors, and you are encouraged to check vendor websites for the latest information regarding the availability of specific patches.
Vendor Patches:
| Vendor | Affected Products | Status of Patch(es) | ||||||||
| IETF | TLS Protocol | |||||||||
|
The fix for the TLS protocol is now an official Internet Standard (RFC 5746). |
||||||||||
| OpenSSL |
Workaround – Removes Renegotiation (OpenSSL 0.9.8l) Fix (OpenSSL 0.9.8m) |
|
||||||||
|
A new version of OpenSSL (OpenSSL 0.9.8l) has been released, which removes SSL/TLS renegotiation. While this is not a fix for the for the SSL/TLS protocol vulnerability, it does mitigate against the resulting authentication gap. The new version of OpenSSL is available at http://www.openssl.org/source/. The TLS protocol fix has been released in OpenSSL 0.9.8m.The new version of OpenSSL is available at http://www.openssl.org/source/. An OpenSSL Security Advisory has been posted at http://www.openssl.org/news/secadv_20091111.txt |
||||||||||
| Microsoft | IIS, SChannel, Internet Explorer |
|
||||||||
| Cisco | See Advisory |
|
||||||||
| A security advisory has been published by Cisco (Advisory ID: cisco-sa-20091109-tls) at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml. A list of vulnerable products has been identified. | ||||||||||
| F5 |
Workaround – Disables Renegotiation Fix |
|
||||||||
| A security advisory has been published by F5 (Advisory ID: SOL10737) at https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html (registration required). | ||||||||||
| Mozilla/Firefox/NSS |
Workaround – Disables Renegotiation Fix |
|
||||||||
| A patch, which disables renegotiation, is now available (https://bugzilla.mozilla.org/show_bug.cgi?id=526689).The TLS protocol fix has been implemented in NSS. Interoperability testing is in progress. More information on the fix is available at https://bugzilla.mozilla.org/show_bug.cgi?id=537356. | ||||||||||
| GNU TLS | Most Applications Are Not Affected |
|
||||||||
| A proposed fix has been provided by PhoneFactor and is available at http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00014.html. A final version of the patch is being tested now. | ||||||||||
| RSA |
RSA BSAFE(R) SSL-J, RSA BSAFE(R) Share for JavaTM Platform, RSA BSAFE(R) MES, RSA BSAFE(R) Share for C/C++ RSA BSAFE(R) SSL-C and RSA BSAFE(R) SSL-C ME |
|
||||||||
| Citrix | An article has been published to the Citrix Knowledge Center at http://support.citrix.com/article/CTX123359. | |||||||||
| Opera |
|
|||||||||
|
The TLS protocol fix has been implemented in 10.50, which is undergoing public testing. The final release should be available shortly. For more details, please see: |
||||||||||
| Zeus Technology |
Zeus Traffic Manager 6.0r2 |
|
||||||||
| More information is available at http://knowledgehub.zeus.com/news/2009/12/02/zeus_traffic_manager_6_0r2_released and http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released. | ||||||||||
Progress Indicators:
|
Code Undergoing Initial Testing | ||||
|
Interoperability Testing in Progress | ||||
|
Limited Public Availability | ||||
|
Full Public Availability |
Have an Update? Let us know at communication@phonefactor.com.
