OpenSSL "Heartbleed" Vulnerability


On April 8, 2014 HP was notified of the CVE-2014-0160 vulnerability (now known as "Heartbleed") in the open-source OpenSSL toolkit. This vulnerability has garnered a substantial amount of media attention. See references section for link to National Vulnerability Database entry describing vulnerability in detail.


OpenSSL is used in some HP products to provide encryption and SSL services. HP is committed to delivering secure systems that effectively manage our invaluable customer and employee data. Upon knowledge of the "Heartbleed" vulnerability, HP teams began an aggressive and comprehensive review of all actively supported products.


HP takes Internet vulnerabilities seriously and works collaboratively through organizations like the Information Technology Information Sharing & Analysis Center (IT-ISAC), government agencies and industry partners to share information about the vulnerabilities and how to effectively address them. With regard to addressing the potential impact of the recently identified “Heartbleed” OpenSSL vulnerability, HP is closely examining our systems and sites for the vulnerability and performing remediation as needed to ensure this vulnerability is not exploited. Also, it should be noted that HP consistently employs security controls and procedures to protect against attacks that target our systems and networks


What can you do?


While we complete our investigation, this is a good opportunity to ensure the following security best practices are being followed:


Subscribe to HP real-time security information: All HP products use a common centralized Security Bulletin process managed by HP's Software Security Response Team (SSRT). Subscribe to HP Security Bulletins by following these steps:


  • 1. Go to hp.com.
  • 2. Click "Support."
  • 3. Click "Support and Troubleshooting."
  • 4. Click "Sign up: driver, support and security alerts" (near bottom of page.)


For additional information on specific enterprise hardware products you can contact the HP Support center here, for consumer hardware products click here or for updates on HP’s software products click here.

References


National Vulnerability Database:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160non-HP site.