Cisco, Juniper products affected by Heartbleed

Cisco, Juniper products affected by Heartbleed

Summary: [UPDATE] Many networking products, including hardware, also run OpenSSL, the critical software component with a severe information disclosure vulnerability.


Both Cisco and Juniper have disclosed that some of their products are affected by the Heartbleed bug.

Cisco issued an advisory on Wednesday stating that a long list of products were either confirmed vulnerable or under investigation for the vulnerability. Among the 16 products confirmed vulnerable (as of version 1.2 of the advisory) are the Cisco Unified Communication Manager (UCM) 10.0, Cisco MS200X Ethernet Access Switch and several Cisco Unified IP Phones. The 1.2 advisory lists 65 products as under investigation.

Two products, the Cisco Registered Envelope Service (CRES) and Cisco Webex Messenger Service, had been vulnerable and have been remediated. The advisory says that no Cisco hosted services are currently known to be affected. Another 62 products are confirmed not vulnerable, including many routers and Cisco IOS itself.

Although the lists of products either known to be vulnerable or under investigation includes hardware, no routers are on those lists. The advisory also indicates that for some products (Cisco Meraki) the manner in which OpenSSL is called prevents any meaningful exploitation.

Juniper has published a "High Alert" notice on their security home page. The High Alert merely gives a brief description of Heartbleed without any mention of which products may be affected.

Access to the actual advisory is restricted to registered customers. 

[UPDATE: A Juniper spokesperson provided this statement:

A subset of Juniper’s products were affected by the Heartbleed vulnerability including certain versions of our SSL VPN software, which presents the most critical concern for customers. We issued a patch for our SSL VPN product on Tuesday and are working around the clock to provide patched versions of code for our other affected products.   

We encourage our customers to contact Juniper’s Customer Support Center for detailed advisories and product updates. We work with customers running vulnerable products very closely to ensure they take the appropriate steps we have identified and deploy any necessary updates or mitigations in a timely manner.]

Updating of networking products can be trickier than of conventional computer systems. As security expert Bruce Schneier puts it, "[H]as anyone looked at all the low-margin non-upgradable embedded systems that use OpenSSL? An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn't going to be fun for anyone."

Hat tip to the Wall Street Journal. Earlier reporting by The Register.

Topics: Security, Cisco, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Juniper Security Advisories (JSA) are public

    The Juniper SIRT's public advisory can be found here:
  • Maybe Larry's PC is vulnerable...

    So I can say your Windows user is "larry" and you use SkyDrive to host ZDnet things.

    (joking, just fix link and delete this, thanks)