Various products: Please see the list in the problem section
The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as The Heartbleed Bug.
Status of different OpenSSL versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Junos OS 13.3R1
Odyssey client 5.6r5 and later
SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later (Fixed code is listed in the "Solution" section)
UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the "Solution" section)
Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and later
Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. (This client is only impacted when used in FIPS mode.)
Junos Pulse (Mobile) on Android version 4.2R1 and higher.
Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only impacted when used in FIPS mode.)
Products Not Vulnerable
Junos OS 13.2 and earlier is not vulnerable
Non-FIPS version of Network Connect clients are not vulnerable
SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable
SRX Series is not vulnerable
Junos Space is not vulnerable
NSM is not vulnerable
Pulse 4.0r4 and earlier is not vulnerable
QFabric Director is not vulnerable
CTPView is not vulnerable
vGW/FireFly Host is not vulnerable
Firefly Perimeter is not vulnerable
ScreenOS is not vulnerable
UAC 4.3, 4.2, and 4.1 are not vulnerable
JUNOSe is not vulnerable
Odyssey client 5.6r4 and earlier are not vulnerable
Junos Pulse (Mobile) on iOS (Non-FIPS Mode)
WX-Series is not vulnerable
Junos DDoS Secure is not vulnerable
STRM/JSA is not vulnerable
WebApp Secure is not vulnerable
Media Flow Controller is not vulnerable
SBR Carrier is not vulnerable
SBR Enterprise is not vulnerable
Junos Pulse Mobile Security Suite is not vulnerable
SRC Series is not vulnerable
Junos Pulse Endpoint Profiler is not vulnerable
Smart Pass is not vulnerable
Ring Master is not vulnerable
ADC is not vulnerable
Products currently under investigation
Stand Alone IDP
Juniper continues to investigate this issue and as new information becomes available this document will be updated.
This issue has been assigned CVE-2014-0160.
We are working around the clock to provide fixed versions of code for our affected products.
For more information regarding specific products please find productcodes and links below:
SSL VPN (IVEOS):
Juniper Networks has released IVEOS 8.0R3.2 and 7.4R9.2. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/kb29004
Juniper Networks will release (ETA April 10th, 2014) UAC 5.0r3.2. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/kb29007
Junos OS 13.3R1.6, 13.3R1.7, and 13.3R1-S1 have been recalled and will be re-released with fixes to resolve this issue.
Juniper has released signatures to detect this issue:
Sigpack 2362 released:
SSL: OpenSSL TLS DTLS Heartbeat Information Disclosure:
Note: This advisory will be updated with fixed software versions as they are made available to our customers.
KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:
Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes
Limit access to J-Web and XNM-SSL from only trusted networks
Other than downgrading to an unaffected release, there are no workarounds for this issue.
OpenSSL Security Advisory
We consider this to be a critical issue. The sensitive information potentially exposed by this issue can be leveraged to further compromise the system. Exploits are known to exist in the wild. Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."