These vulnerabilities have been reported to Symantec Development team.
A fixed version of gateway including latest OpenSSL 1.0.1u version has been created and added to later releases.
These include post 7.6 HF7 > see attached "Gateway_POST_7.6_HF7_v1.zip" file for the actual pointfix.
Latest 8.0 version of gateway has following versions post 8.0 HF1 (1.0.1t), 8.0 HF4 (1.0.1u).
For changes done under the ULM agent version in SMP 7.5 SP1 HF5 regarding OpenSSL 1.0.1t, please refer to the attached "Pointfix_eTrack3947448_7.5_SP1_HF5_ULM.zip". ReadMe doc is included in the Zip file.
Note: So far no requests were made for 1.0.1u version to be added for 7.5 SP1 HF5, hence 7.6 and 8.0 latest versions were upgraded only.
SMP 7.6 or higher
HOW TO INSTALL THIS POINTFIX
Retrieve files from the archive to the NS hard drive.
Run as administrator PFinstaller.EXE, click on ‘Install’ button
Deploy new MSI from \\localhost\NSCap\bin\Win64\X64\SMP Internet Gateway\ to the actual gateway machine
Double click on SMP_Internet_Gateway.msi and proceed installation steps
OpenSSL component was upgraded
Tested PF on CEM Gateway 7.6 in following scenarios:
Verified vulnerable OpenSSL version
Verified point fix installation on NS
Verified that upgraded MSI is installable over running CEM Gateway
Verified that OpenSSL component version changed to 1.0.1t
Verified that CEM SMA-s connectivity to NS was not affected
Verified that CEM SMA-s are able to send basic inventory and receive tasks
Verified that CEM SMA-s are able to get package delivery via new Gateway