Top 30 Targeted High Risk Vulnerabilities

Number: TR15-004
Date: 30 April 2015

Purpose

The purpose of this technical report is to provide an overview of the highest risk software vulnerabilities that are being exploited to target critical infrastructure organizations, along with prevention and mitigation recommendations. This assessment was developed in collaboration with our partners in the United States, United Kingdom, the Australian Cyber Security Centre (ACSC), and New Zealand.

Assessment

Advanced persistent threats (APT) and cyber criminals continue to exploit unpatched software to conduct attacks against critical infrastructure organizations. Unpatched software vulnerabilities provide cyber threat actors entry points into a network. CCIRC recommends organizations ensure their networks are protected against the vulnerabilities outlined in this report.

What is a Vulnerability?

Cyber security vulnerabilities are defined as flaws or weaknesses in computer software that could allow a malicious actor to compromise the integrity, availability, or confidentiality of a system or network.

Publicly known vulnerabilities are tracked with the Common Vulnerabilities and Exposures (CVE) system. This system creates a unique identifier for all new vulnerabilities, establishing a standard reference for information security professionals.

A vulnerability is only part of what is required to compromise a system. Three basic requirements must be met in order for malicious actors to successfully conduct an attack:

Being aware of the most frequently exploited vulnerabilities and ensuring they are patched hardens your organization's defences.

Maintaining Up-To-Date Software

At times, the number of patches which are required can seem overwhelming. This is why it is necessary for all organizations to establish a strong ongoing patch management process to ensure the proper preventive measures are taken against potential threats. The longer a system remains unpatched, the longer it is vulnerable to being compromised. Once a patch has been publicly released, the underlying vulnerability can be reverse engineered by malicious actors in order to create an exploit. This process has been documented to take anywhere from 24-hours to four days. Timely patching is one of the lowest cost, yet effective steps an organization can take to minimize its exposure to the threats facing its network.

Impacts of Network Compromise

Unpatched vulnerabilities allow malicious actors an entry point into your network. Once inside, attackers can conduct a number of damaging activities including:

The impact of the resulting infection can be severe, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

Most Commonly Exploited Vulnerabilities

Executives should ensure the following software vulnerabilities have been patched by their organization's information security professionals.

Microsoft Products
CVE Affected Products / Versions Patching Information

CVE-2006-3227

Internet Explorer 6

Mitigation Information

CVE-2008-2244

Office Word 2002 SP3

Mitigation Information

CVE-2009-3129

Office Excel 2002 SP3
Office Excel 2003 SP3
Office Excel 2007 SP1 and SP2
Office 2004 for Mac
Office 2008 for Mac
Open XML File Format Converter for Mac
Office Excel Viewer 2003 SP3
Office Excel Viewer SP1 and SP2
Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2

Mitigation Information

CVE-2009-3674

Internet Explorer 8

Mitigation Information

CVE-2010-0806

Internet Explorer 6, 6 SP1, and 7

Mitigation Information

CVE-2010-3333

Office XP SP3
Office 2003 SP3
Office 2007 SP2
Office 2010
Office 2004 for Mac
Office 2008 for Mac
Office for Mac 2011
Open XML File Format Converter for Mac

Mitigation Information

CVE-2011-0101

Microsoft Excel 2002 SP3

Mitigation Information

CVE-2012-0158

Office 2003 SP3
Office 2007 SP2 and SP3
Office 2010 Gold and SP1
Office 2003 Web Components SP3
SQL Server 2000 SP4
SQL Server 2005 SP4
SQL Server 2008 SP2, SP3, and R2
BizTalk Server 2002 SP1
Commerce Server 2002 SP4
Commerce Server 2007 SP2
Commerce Server 2009 Gold and R2
Visual FoxPro 8.0 SP1
Visual FoxPro 9.0 SP2
Visual Basic 6.0 Runtime

Mitigation Information

CVE-2012-1856

Office 2003 SP3
Office 2003 Web Components SP3
Office 2007 SP2 and SP3
Office 2010 SP1
SQL Server 2000 SP4
SQL Server 2005 SP4
SQL Server 2008 SP2, SP3, R2, R2/SP1, and R2/SP2
Commerce Server 2002 SP4
Commerce Server 2007 SP2
Commerce Server 2009 Gold and R2
Host Integration Server 2004 SP1
Visual FoxPro 8.0 SP1
Visual FoxPro 9.0 SP2
Visual Basic 6.0 Runtime

Mitigation Information

CVE-2012-4792

Internet Explorer 6 through 8

Mitigation Information

CVE-2013-0074

Microsoft Silverlight 5, and 5 Developer Runtime, before 5.1.20125.0

Mitigation Information

CVE-2013-1347

Internet Explorer 8

Mitigation Information

CVE-2014-0322

Internet Explorer 9
Internet Explorer 10

Mitigation Information

CVE-2014-1761

Microsoft Word 2003 SP3
Microsoft Word 2007 SP3
Microsoft Word 2010 SP1 and SP2
Microsoft Word 2013
Microsoft Word 2013 RT
Office Word Viewer
Office Compatibility Pack SP3
Office for Mac 2011
Word Automation Services on SharePoint Server 2010 SP1 and SP2 and
Word Automation Services on SharePoint Server 2013
Office Web Apps 2010 SP1 and SP2
Office Web Apps Server 2013

Mitigation Information

CVE-2014-1776

Internet Explorer 6 through 11

Mitigation Information

CVE-2014-4114

Windows Vista SP2
Windows Server 2008 SP2 and R2 SP1
Windows 7 SP1
Windows 8
Windows 8.1
Windows Server 2012 Gold and R2
Windows RT Gold and 8.1

Mitigation Information

Oracle Java
CVE Affected Products / Versions Patching Information

CVE-2012-1723

JDK and JRE 7 Update 4 and earlier
JDK and JRE 6 Update 32 and earlier
JDK and JRE 5.0 Update 35 and earlier
SDK and JRE 1.4.2_37 and earlier

Mitigation Information

CVE-2013-2465

JDK and JRE 7 Update 21 and earlier
JDK and JRE 6 Update 45 and earlier
JDK and JRE 5.0 Update 45 and earlier

Mitigation Information

Adobe Products

Adobe ColdFusion
CVE Affected Products / Versions Patching Information

CVE-2013-0625

Adobe ColdFusion 9.0, 9.0.1, and 9.0.2

Mitigation Information

CVE-2013-0632

Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10

Mitigation Information

CVE-2013-3336

Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10

Mitigation Information

CVE-2013-5326

Adobe ColdFusion 9.0 before Update 12, 9.0.1 before Update 11, 9.0.2 before Update 6, and 10 before Update 12

Mitigation Information

Adobe Reader
CVE Affected Products / Versions Patching Information

CVE-2010-2883

Adobe Reader 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X

Mitigation Information

CVE-2011-2462

Adobe Reader 10.1.1 and earlier on Windows and Mac OS X
Adobe Reader 9.x through 9.4.6 on UNIX

Mitigation Information

CVE-2013-2729

Adobe Reader 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03

Mitigation Information

CVE-2009-3953

Adobe Reader 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4

Mitigation Information

CVE-2010-0188

Adobe Reader 8.x before 8.2.1 and 9.x before 9.3.1

Mitigation Information

CVE-2011-0611

Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows and 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X.

Mitigation Information

Adobe Acrobat
CVE Affected Products / Versions Patching Information

CVE-2009-3953

Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4

Mitigation Information

CVE-2010-0188

Acrobat 8.x before 8.2.1 and 9.x before 9.3.1

Mitigation Information

CVE-2010-2883

Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X

Mitigation Information

CVE-2011-0611

Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X

Mitigation Information

CVE-2011-2462

Acrobat 10.1.1 and earlier on Windows and Mac OS X

Mitigation Information

CVE-2013-2729

Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03

Mitigation Information

Adobe Flash Player
CVE Affected Products / Versions Patching Information

CVE-2011-0611

Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux and Solaris
Adobe Flash Player 10.2.156.12 and earlier on Android

Mitigation Information

CVE-2014-0564

Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux

Mitigation Information

Adobe Air
CVE Affected Products / Versions Patching Information

CVE-2011-0611

Adobe AIR before 2.6.19140

Mitigation Information

CVE-2014-0564

Adobe AIR before 15.0.0.293
Adobe AIR SDK before 15.0.0.302
Adobe AIR SDK & Compiler before 15.0.0.302

Mitigation Information

OpenSSL
CVE Affected Products / Versions Patching Information

CVE-2014-0160

OpenSSL v 1.0.1 - 1.0.1f

Mitigation Information

Mitigation Information

Comprehensive Mitigation Strategies

As part of a comprehensive security strategy, CCIRC recommends that network administrators implement the following four mitigation strategies, which can help prevent as much as 85% of targeted cyber attacks:

Comprehensive Mitigation Strategies
Ranking Mitigation Strategy Rationale

1

Use application whitelisting to help prevent malicious software and unapproved programs from running.

Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.

2

Patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office.

Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

3

Patch operating system vulnerabilities.

4

Restrict administrative privileges to operating systems and applications based on user duties.

Restricting these privileges may prevent malware from running or limit its capability to spread through the network.

CCIRC also recommends that partners review CCIRC's Mitigation Guidelines for Advanced Persistent Threats and US-CERT's Security Tip (ST13-003) for additional background information and to assist in the detection of, response to, and recovery from malicious activity linked to advance persistent threat.

References

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca



Appendix: Commonly Exploited Vulnerabilities Patching Information

Microsoft Multiple Products

CVE-2006-3227

This vulnerability affects Internet Explorer 6, which might allow remote attackers to modify the visual presentation of web pages and possibly bypass protection mechanisms such as content filters via ASCII characters with the 8th bit set, which could be stripped by Internet Explorer to render legible text, but not when using other browsers.

Microsoft's reference to this vulnerability can be found on their Malware Protection Centre. No known security bulletin.

CVE-2008-2244

This vulnerability affects Word 2002 SP3 and Word 2003 SP2/SP3. Microsoft recommends that customers apply update MS08-042 at the earliest opportunity.

NOTE: Mainstream Support has ended for Word 2002 since July 11, 2006 and April 14, 2009 for Word 2003. This change has affected your software updates and security options.

CVE-2009-3674

This vulnerability affects Internet Explorer 8 only.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

CVE-2009-3129

This vulnerability affects numerous Microsoft products: Office 2004 and 2008 for Mac, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Office Excel 2002 SP3, Office Excel 2003 SP3, Office Excel 2007 SP1 and SP2, Office Excel Viewer 2003 SP3, Office Excel Viewer SP1 and SP2, Open XML File Format Converter for Mac.

Microsoft recommends that customers apply update MS09-067 at the earliest opportunity.

Note: Mainstream Support has ended for Excel 2002 since July 11, 2006, April 14, 2009 for Excel 2003 and October 9, 2012 for Excel 2007. This change has affected your software updates and security options.

CVE-2010-0806

This vulnerability affects Internet Explorer 6, 6 SP1 and 7.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Note: Previous workarounds will have to be reversed prior to installation of this update.

CVE-2010-3333

This vulnerability affects numerous Microsoft products: Office 2003 SP3, Office 2004 for Mac, Office 2007 SP2, Office 2008 for Mac, Office 2010, Office for Mac 2011, Office XP SP3, Open XML File Format Converter for Mac. Microsoft recommends that customers apply update MS10-087 at the earliest opportunity.

Note: Mainstream Support has ended for Office 2003 since April 14, 2009, January 10, 2012 for Office 2004 for Mac, October 9, 2012 for Office 2007, April 9, 2013 for Office 2008 for Mac, and July 11, 2006 for Office XP. This change has affected your software updates and security options.

CVE-2011-0101

This vulnerability only affects Excel 2002 SP3.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Note: Mainstream Support has ended for Excel 2002 since July 11, 2006. This change has affected your software updates and security options.

CVE-2012-0158

This vulnerability affects numerous Microsoft products: BizTalk Server 2002 SP1, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 Gold and SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2/SP3/ R2, Visual Basic 6.0 Runtime, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Note: Mainstream Support has ended for affected products except Office 2010. This change has affected your software updates and security options.

CVE-2012-1856

This vulnerability affects numerous Microsoft products: Commerce Server 2002 SP4, Commerce Server 2007 SP2,Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Office 2003 SP3, Office 2003 Web Component SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2/SP3/ R2/ R2 SP1/R2 SP2, Visual Basic 6.0 Runtime, Visual FoxPro 8.0 SP1 and Visual FoxPro 9.0 SP2.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Note: Mainstream Support has ended for affected products except Office 2010. This change has affected your software updates and security options.

CVE-2012-4792

This vulnerability affects Internet Explorer versions 6, 7 and 8.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

CVE-2013-1347

This vulnerability only affects Internet Explorer 8.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

CVE-2013-0074

This vulnerability only affects Silverlight 5 and 5 Developer Runtime before 5.1.20125.0.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

CVE-2014-1761

This vulnerability affects numerous Microsoft products: Office Compatibility Pack PS3, Office for Mac 2011, Office Web Apps 2010 SP1 and SP2, Office Web Apps Server 2013, Office Word 2003 PS3, Office Word 2007 SP3, Office Word 2010 SP1/SP2, Office Word 2013/2013 RT, Office Word Viewer, Word Automation Services on Sharepoint Server 2010 SP1/ SP2 and Word Automation Services on Sharepoint Server 2013.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Note: Mainstream Support has ended for Word 2003 since April 14, 2009 and October 9, 2012 for Word 2007. This change has affected your software updates and security options.

CVE-2014-4114

This vulnerability affects numerous version of Windows operating systems: Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2008 SP2/R2 SP1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows Vista SP2.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Note:  Since January 13, 2015, Mainstream Support has ended for Windows 7 and Windows Server 2008, and April 10, 2012 for Windows Vista. This change has affected your software updates and security options.

CVE-2014-0322

This vulnerability only affects Internet Explorer 9 and 10.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

CVE-2014-1776

This vulnerability affects versions of Internet Explorer 6, 7, 8, 9, 10 and 11.

Microsoft advised customers that have automatic updating enabled and will not need to take any action. Customers who have not enabled automatic updating need to check for updates and install this update manually. Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Back to Microsoft Vulnerabilities

Oracle Java

Versions of JDK & JRE 7 Update 4 and earlier are affected by CVE-2012-1723 while Update 21 and earlier are affected by CVE-2013-2465. These versions should be updated by following the below links.

Versions of JDK and JRE 6 Update 32 and before are affected by CVE-2012-1723 while Update 45 and earlier are affected by CVE-2013-2465. These versions should be updated by following the below links. Note: Oracle no longer post updates of Java SE 6 to its public download sites as of February 2013.

Versions of JDK and JRE 5 Update 35 and before are affected CVE-2012-1723 while Update 45 and earlier are affected by CVE-2013-2465. These versions should be updated by following the below links. Note: Oracle no longer post updates of Java SE 5 to its public download sites as of October 2009.

Versions of SDK and JRE 1.4.2_37 and earlier are affected by CVE-2012-1723 and should be updated by following the below links.

Patching Resources

Back to Oracle Java Vulnerabilities

Adobe

Adobe ColdFusion

Versions 9.0 to 9.02 and 10 are affected by CVE-2013-0625, CVE-2013-0632, CVE-2013-3336, and CVE-2013-5326 and hot fixes should be applied following the below links.

Note: Support has ended for ColdFusion 9.x – End of Core Support date Dec 31, 2014.

Back to Adobe ColdFusion Vulnerabilities

Adobe Acrobat

Versions 7.1.4 and earlier are affected by CVE-2009-3953 and should be updated by following the below links. Note: Acrobat 7.x on Windows, Macintosh and UNIX platforms – End of Core Support date Dec 28, 2004.

Versions 8.2 and earlier are affected by CVE-2009-3953, CVE-2010-0188 and CVE-2010-2883 and should be updated by following the below links. Note: Acrobat 8.x on Windows, Macintosh and UNIX platforms – End of Core Support date Nov 3, 2011.

Versions 9.5.5 and earlier are affected by CVE-2009-3953, CVE-2010-0188, CVE-2010-2883, CVE-2011-0611 and CVE-2013-2729 and should be updated by following the below links. Note: Support has ended for Acrobat 9.x on Windows, Macintosh and UNIX platforms – End of Core Support date Jun 6, 2013.

Versions 10.0.3 and earlier are affected by CVE-2011-0611, CVE-2011-2462 and CVE-2013-2729 and should be updated by following the below links.

Versions 11.0.03 and earlier are affected by CVE-2013-2729 and should be updated by following the below links.

Back to Adobe Acrobat Platforms

Adobe Flash Player

Versions 10.2.154.27 and earlier, 11.2.202.411 and earlier on Linux, 13.0.0.250 and 14.x and 15.x before 15.0.0.189 are affected by CVE-2011-0611 and CVE-2014-0564 and should be updated following the below links.

Versions 10.2.146.12 and earlier for Android are affected by CVE-2011-0611 and should be updated by browsing the Android Marketplace on an Android device.

Back to Adobe Flash Vulnerabilities

Adobe Reader

Versions 7.1.4 and earlier are affected by CVE-2009-3953 and should be updated by following the below links. Note: Support has ended for Reader 7.x on Windows, Macintosh and UNIX platforms – End of Core Support date Dec 28, 2004.

Versions 8.x and earlier are affected by CVE-2009-3953, CVE-2010-0188 and CVE-2010-2883 and should be updated by following the below links. Note: Support has ended for Reader 8.x on Windows, Macintosh and UNIX platforms – End of Core Support date Nov 3, 2011.

Versions 9.5.5 and earlier are affected by CVE-2009-3953, CVE-2010-0188, CVE-2010-2883, CVE-2011-0611, CVE-2011-2462 and CVE-2013-2729 and should be updated by following the below links. Note: Support has ended for Reader 9.x on Windows, Macintosh and UNIX platforms – End of Core Support date Jun 26, 2013.

Versions 10.1.1 and earlier are affected by CVE-2011-0611, CVE-2011-2462 and CVE-2013-2729 and should be updated by following the below links.

Versions 11.x before 11.0.03 are affected by CVE-2013-2729 and should be updated by following the below links

Back to Adobe Reader Vulnerabilities

Adobe AIR

Versions 2.6.19140 and earlier are affected by CVE-2011-0611 and versions 15.0.0.0293 and earlier are affected by CVE-2014-0564 and should be updated to the latest version of Adobe AIR.

Versions of Air SDK prior to 15.0.0.302 and Air SDK Compiler before 15.0.0.302 are affected by CVE-2014-0564 and should be updated to the latest version of Adobe AIR SDK & Compiler.

Back to Adobe AIR Vulnerabilities

OpenSSL

CVE-2014-0160

This vulnerability affects OpenSSL v 1.0.1 - 1.0.1f that could expose private data to a remote, unauthenticated attacker through an incorrect memory handling function in the TLS heartbeat extension. This could allow a remote attacker to decrypt secure traffic and expose credentials and secret keys. OpenSSL is a popular application commonly used in web browsing, emails and instant messaging to provide security and privacy. It is recommended that system administrators test and deploy the vendor released updates to affected platforms accordingly. For clients unable to immediately upgrade, consider disabling OpenSSL Heartbeat support.

For more information:

Back to OpenSSL Vulnerabilities

Date modified: