Two vulnerabilities in ePolicy Orchestrator (ePO) have been discovered and resolved.
AFFECTED SOFTWARE
The vulnerability is remediated in these versions:
Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10188, Intel Security – Security Bulletin: McAfee products with multiple OpenSSL vulnerabilities
(https://kc.mcafee.com/corporate/index?page=content&id=SB10188)
AFFECTED SOFTWARE
- ePO 5.1.3 and earlier
- ePO 5.3.2 and earlier
The vulnerability is remediated in these versions:
- ePO 5.1.3, 5.3.1 or 5.3.2 with EPO5xHF1179774
- CVE-2017-3732 (CVSS: 5.3; Severity: Medium)
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. NoEC algorithms are affected. Allows attackers to obtain sensitive private-key information via an attack against Diffie-Hellman (DH/DHE) ciphersuite. - CVE-2016-7055 (CVSS: 3.1; Severity: Low)
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits. Allows attackers to transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input
Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see Knowledge Base article SB10188, Intel Security – Security Bulletin: McAfee products with multiple OpenSSL vulnerabilities
(https://kc.mcafee.com/corporate/index?page=content&id=SB10188)