Cisco, Juniper products affected by Heartbleed

[UPDATE] Many networking products, including hardware, also run OpenSSL, the critical software component with a severe information disclosure vulnerability.
Written by Larry Seltzer, Contributor

Both Cisco and Juniper have disclosed that some of their products are affected by the Heartbleed bug.

Cisco issued an advisory on Wednesday stating that a long list of products were either confirmed vulnerable or under investigation for the vulnerability. Among the 16 products confirmed vulnerable (as of version 1.2 of the advisory) are the Cisco Unified Communication Manager (UCM) 10.0, Cisco MS200X Ethernet Access Switch and several Cisco Unified IP Phones. The 1.2 advisory lists 65 products as under investigation.

Two products, the Cisco Registered Envelope Service (CRES) and Cisco Webex Messenger Service, had been vulnerable and have been remediated. The advisory says that no Cisco hosted services are currently known to be affected. Another 62 products are confirmed not vulnerable, including many routers and Cisco IOS itself.

Although the lists of products either known to be vulnerable or under investigation includes hardware, no routers are on those lists. The advisory also indicates that for some products (Cisco Meraki) the manner in which OpenSSL is called prevents any meaningful exploitation.

Juniper has published a "High Alert" notice on their security home page. The High Alert merely gives a brief description of Heartbleed without any mention of which products may be affected.

Access to the actual advisory is restricted to registered customers. 

[UPDATE: A Juniper spokesperson provided this statement:

A subset of Juniper's products were affected by the Heartbleed vulnerability including certain versions of our SSL VPN software, which presents the most critical concern for customers. We issued a patch for our SSL VPN product on Tuesday and are working around the clock to provide patched versions of code for our other affected products.   

We encourage our customers to contact Juniper's Customer Support Center for detailed advisories and product updates. We work with customers running vulnerable products very closely to ensure they take the appropriate steps we have identified and deploy any necessary updates or mitigations in a timely manner.]

Updating of networking products can be trickier than of conventional computer systems. As security expert Bruce Schneier puts it, "[H]as anyone looked at all the low-margin non-upgradable embedded systems that use OpenSSL? An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn't going to be fun for anyone."

Hat tip to the Wall Street Journal. Earlier reporting by The Register.

Editorial standards