It seems that Policy manager contains vulnerable openssl binaries in "C:\Program Files (x86)\F-Secure\Web User Interface\bin". Can you tell us the potential impact of this? Will F-Secure be issuing a patch?
Policy Manager does not use OpenSSL and based on the directory path you mentioned, it is likely the Web-based management UI for Email and Server Security. We will anyway check all products and communicate about affected ones and available patches as soon as possible.
And what about PSB Portal itself?
Is it vulnerable? Fixed?
Please let us know when possible.
Please check the advisory that we have published on our public web: http://www.f-secure.com/en/web/labs_global/fsc-2014-1. F-Secure products and services mentioned in this advisory are affected. Other F-Secure products and services are not affected.
I see in Downloads area, that the hotfix for ESS 11.x and 10.x is already available.
But some further clarifications required.
1. What about SS installations? Can we apply the hotfix for ESS?
2. What about PSB? I guess that the hotfix will be automatically downloaded and be applied (SS and ESS)?
3. After-hotfix actions?
- Change pub/priv keys of web UI? how (any technote how to create/apply new keypair?)
- Change server administrator passwords?
OK, security advisory page updated: