Cisco, Juniper products affected by Heartbleed

Summary:[UPDATE] Many networking products, including hardware, also run OpenSSL, the critical software component with a severe information disclosure vulnerability.

Both Cisco and Juniper have disclosed that some of their products are affected by the Heartbleed bug.

Cisco issued an advisory on Wednesday stating that a long list of products were either confirmed vulnerable or under investigation for the vulnerability. Among the 16 products confirmed vulnerable (as of version 1.2 of the advisory) are the Cisco Unified Communication Manager (UCM) 10.0, Cisco MS200X Ethernet Access Switch and several Cisco Unified IP Phones. The 1.2 advisory lists 65 products as under investigation.

Two products, the Cisco Registered Envelope Service (CRES) and Cisco Webex Messenger Service, had been vulnerable and have been remediated. The advisory says that no Cisco hosted services are currently known to be affected. Another 62 products are confirmed not vulnerable, including many routers and Cisco IOS itself.

Although the lists of products either known to be vulnerable or under investigation includes hardware, no routers are on those lists. The advisory also indicates that for some products (Cisco Meraki) the manner in which OpenSSL is called prevents any meaningful exploitation.

Juniper has published a "High Alert" notice on their security home page. The High Alert merely gives a brief description of Heartbleed without any mention of which products may be affected.

Access to the actual advisory is restricted to registered customers. 

[UPDATE: A Juniper spokesperson provided this statement:

A subset of Juniper’s products were affected by the Heartbleed vulnerability including certain versions of our SSL VPN software, which presents the most critical concern for customers. We issued a patch for our SSL VPN product on Tuesday and are working around the clock to provide patched versions of code for our other affected products.   

We encourage our customers to contact Juniper’s Customer Support Center for detailed advisories and product updates. We work with customers running vulnerable products very closely to ensure they take the appropriate steps we have identified and deploy any necessary updates or mitigations in a timely manner.]

Updating of networking products can be trickier than of conventional computer systems. As security expert Bruce Schneier puts it, "[H]as anyone looked at all the low-margin non-upgradable embedded systems that use OpenSSL? An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn't going to be fun for anyone."

Hat tip to the Wall Street Journal. Earlier reporting by The Register.

Topics: Security, Cisco, Networking

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.