Solved: ASA 9.2(1) OpenSSL 1.0.1e, Heartbleed vulnerable?

lanbrown · ‎04-25-2014

I have a TAC case opened because according to the release notes for 9.2(1) it states that OpenSSL has been upgraded to 1.0.1e. The release notes for ASDM 7.2(1) states the same. So far the TAC engineer could not rule out that 9.2(1) indeed does have a vulnerable release of OpenSSL in it. I will update this thread when TAC has confirmed or denied that 9.2(1) is vulnerable to Heartbleed.

joseoroz · ‎04-25-2014

Hello Ian Brown,

The ASA 9.2.1 is not vulnerable:

OpenSSL upgrade

The version of OpenSSL on the ASA will be updated to version 1.0.1e.

Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

We did not introduce or modify any commands.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html

I hope you find this information helpful.

View solution in original post

joseoroz · ‎04-25-2014

Hello Ian Brown,

The ASA 9.2.1 is not vulnerable:

OpenSSL upgrade

The version of OpenSSL on the ASA will be updated to version 1.0.1e.

Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

We did not introduce or modify any commands.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/release/notes/asarn92.html

I hope you find this information helpful.

lanbrown · ‎04-25-2014

Earlier the Release Notes didn't have that note of:

Note We disabled the heartbeat option, so the ASA is not vulnerable to the Heartbleed Bug.

I have the original PDF that was on Cisco.com earlier which lacked the note about heartbeat being disabled.

Julio Carvajal · ‎04-25-2014

But now thanks to Jose Orozco you have the information :) so problem fixed

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marvin Rhoads · ‎04-26-2014

I agree. A double VIP endorsement to Jose. :)