Is the Symantec Protection Engine (SPE) affected by the Heartbleed OpenSSL vulnerability (CVE-2014-0160)
Last Updated June 12, 2014
You wish to know if the Symantec Protection Engine (SPE) is affected by the "heartbleed" OpenSSL bug (CVE-2014-0160) that allows highly sensitive material such as primary key information to be accessed illicitly via a defect in the implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520).
The Symantec Protection Engine (SPE) is NOT AFFECTED by this vulnerability, as it does not use the TLS / DTLS functionality from OpenSSL; however, an optional patch is offered in this document, simply to exclude the specific OpenSSL version (1.0.1e) from the build. This patch is built with OpenSSL 1.0.1g, and after its application the product build number is SPE 18.104.22.168 (HF03).
IMPORTANT NOTE: This proactive patch is purely OPTIONAL. SPE 22.214.171.124 is NOT AFFECTED by the HeartBleed vulnerability without this patch.
IMPORTANT NOTE2: Previous Hotfix (HF02) was withdrawn to also update the OpenSSL components for the other SPE's auxiliarycomponents such as Titanium, Lux, and Defutils (described in the ReadMe). If you have already applied HF02 (SPE126.96.36.199), that can be safely overwritten by this HF03, or you can directly update from SPE188.8.131.52 (no patch). Note that both HF02 and HF03 are OPTIONAL and SPEIS NOT AFFECTEDby the CVE-2014-0160 vulnerability without HF02/HF03.
Does OpenSSL CVE-2014-0160 ("Heartbleed") vulnerability impact on SPE 7.5.x?