Security Bulletin - OpenSSL update for vulnerability CVE-2018-0739
Last Modified: 2022-05-04 15:23:21 Etc/GMT
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Security Bulletin - OpenSSL update for vulnerability CVE-2018-0739
Security Bulletins ID:
SB10243
Last Modified: 2022-05-04 15:23:21 Etc/GMT Summary
First Published: July 10, 2018
要在更新本文时收到电子邮件通知,请单击 订阅 位于页面右侧。您必须登录后才能订购。
Article contents: Vulnerability Description This OpenSSL update resolves the following vulnerability. CVE-2018-0739 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. https://nvd.nist.gov/vuln/detail/CVE-2018-0739 Remediation To remediate this issue, go to the Product Downloads site, and download the applicable product update or hotfix file:
Download and Installation Instructions For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and the Installation Guide for instructions on how to install these updates. All documentation is available on the Product Documentation site. Frequently Asked Questions (FAQs) How do I know if my product is vulnerable? For Appliances: Use the following instructions for Appliance-based products:
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council's effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, visit the CVSS website at: http://www.first.org/cvss/. When calculating CVSS scores, we've adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by the successful exploitation of the issue being scored. What are the CVSS scoring metrics? CVE-2018-0739:
NOTE: The below CVSS version 3.0 vector was used to generate this score. https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 在哪里可以找到所有安全/Security 公告的列表? 所有安全/Security 公告都发布在我们的 知识中心上。如果产品已停止销售和终止支持(停产),则会停用(删除)安全/Security 公告。 如何向您报告产品漏洞? 如果您有关于某个产品的安全问题或漏洞的信息,请按照 KB95563 中提供的说明进行操作 -报告漏洞。 您如何应对此问题以及报告的任何其他安全漏洞? 我们的主要优先级是我们客户的安全。如果在任何软件或服务中发现漏洞,我们会与相关的安全软件开发团队密切合作,以确保快速有效地开发修复和通信计划。 仅当公告中包含一些可操作的(例如解决方法、缓解、版本更新或修补程序)时,我们才会发布安全/Security 公告。否则,我们只是通知黑客社区我们的产品是一个目标,让客户面临更大的风险。对于自动更新的产品,可能会发布无法操作的安全/Security 公告,以确认 discoverer。 要查看我们的 PSIRT 策略,请参阅 KB95564-关于 PSIRT。 Resources 要联系技术支持, 请转至 "创建服务请求" 页面 ,然后登录到 ServicePortal。
Disclaimer 本安全/Security 公告中提供的信息按原样提供,不作任何形式的担保。我们不提供任何明示或暗示的保证,包括针对特定用途的适销性和适用性的担保。在任何情况下,我们或我们的供应商对任何损害(包括直接、间接、偶然、后果性、业务利润损失或特殊损害)都不承担任何责任,即使我们或我们的供应商已被告知有此类损害的可能性。某些省/市/自治区不允许排除或限制对后果性或偶然损害的责任,因此上述限制可能不适用。 本安全/Security 公告中提及的任何未来产品发布日期都旨在概述我们的一般产品方向,不应依赖于做出购买决定。产品发行日期仅供参考,不得纳入任何合同。产品的发行日期不是提供任何材料、代码或功能的承诺、承诺或法律义务。我们产品中所述的任何功能或功能的开发、发布和执行时间均由我们自行决定,并可随时更改或取消。 |
|