By now you should be well aware of the vulnerability CVE-2014-0160, nicknamed HeartBleed, that exists in a number of versions of OpenSSL - an extremely popular open source cryptographic library.
Yesterday, we provided some guidance on steps businesses and consumers should take in light of this vulnerability.
We have also made it very simple to inspect and verify many aspects of SSL certificate security, including whether a server is still vulnerable to the HeartBleed attack.
We are extremely sensitive to the anxiety felt by customers who rely on our software and services as a core part of their work and personal lives. So today, I want to give you an update on how this affects our Email and Web security products.
The following cloud services are NOT affected by the HeartBleed vulnerability in any way and customers do not need to take any action related to these services:
Symantec Email Security.cloud
Symantec Email Security.cloud - Policy Based Encryption
Symantec Instant Messaging Security.cloud
Symantec Enterprise Instant Messenger.cloud
Symantec Email & Web Security.cloud management portal (AKA ClientNet)
One feature within the Symantec Web Security.cloud service WAS affected by the HeartBleed vulnerability but customers do NOT need to take any action related to this service:
On March 3rd 2014, we introduced a new HTTPS scanning feature to the Symantec Web Security.cloud service.
As of April 9th 2014, Symantec temporarily disabled this HTTPS scanning feature as it was running a version of OpenSSL susceptible to the HeartBleed vulnerability.
Our Operations and Engineering teams are working to patch the HTTPS infrastructure associated with this feature and to minimize disruption it will remain disabled until this work is complete.
No other features of the Web Security.cloud service are affected by this functionality and no other features of the service are disrupted.
The following on-premises Email and Web Security products are NOT affected by the HeartBleed vulnerability in any way and customers do not need to take any action:
Symantec Messaging Gateway
Symantec Web Gateway
If you have any questions at all related to this issue that are not addressed in this post, please contact our Technical Support team.
-- ian