If it's an OpenSSL vulnerability that puts anything at risk on the CSA, then we will usually patch it - absolutely. Most OpenSSL vulnerabilities are a "simple" case of patching files & won't require you to do anything beyond patching the box with the relevant CSA patch.
Note that not all OpenSSL vulnerabilities necessarily affect the CSA. "Yes" the OpenSSL defect itself may, but based on how we communicate with / through the CSA, it may actually be a non-factor.
I'll poke the CSA guy for some input here, as he'll have a better picture on what's what in regards to this one.
I've been working with engineering and they confirmed the newer version of OpenSSL in the CSA patch 177 should correct this.
However we do see some of the updated CSA's we scan with Qualys still show the devices are vulnerable to this CVE. Other company tests show the appliance is no longer vulnerable.
So our engineering has reached out to Qualys to report this as a possible false positive.
CSA patch 177 release note:
RedHat site showing details of the OpenSSL fix: https://www.rpmfind.net/linux/RPM/centos/updates/6.8/x86_64/Packages/openssl-1.0.1e-48.el6_8.1.x86_64.html
can you post me some examples for "other company tests".
I tested also with this site SSL/TLS Server Security | Email TLS/STARTTLS Encryption | PCI DSS & NIST | High-Tech Bridge | SSL Test and got the same result.
Hello, what is the status of this? I have yet to see an update for the CSA and all of my SSL scans are still showing vulnerable. Thanks!
Engineering implemented a few tweaks to some responses to correct the false negative that occurred on some CSA's. These will release in version 178 of the CSA. Currently this is in test/validation and should be coming out fairly soon.