Follow

Frequently Asked Questions and Responses to ESA-2014-056

Frequently Asked Questions and Responses related to ESA-2014-056: EMC Syncplicity Security Update for Multiple Vulnerabilities in OpenSSL Security Advisory [05 Jun 2014]

What is the issue?
The OpenSSL project released a security advisory on June 5, 2014 disclosing multiple security vulnerabilities in OpenSSL which may potentially impact Syncplicity customers. For more details refer to

What components of Syncplicity are affected? 
The issue impacts the following Syncplicity components:

  • EMC Syncplicity Orchestration layer load-balancers
  • EMC Syncplicity Storage layer load-balancers
  • EMC Syncplicity Enterprise Edition On-Premise compute nodes

Was Syncplicity compromised due to this vulnerability?
At this time we have no evidence or reason to believe any Syncplicity customers’ data were compromised in relation to this vulnerability. 

When is this issue going to be fixed?
EMC has applied remedies to eliminate the reported applicable vulnerabilities from EMC Syncplicity servers.  

What steps were taken to remediate the vulnerability?
EMC Syncplicity has patched all of the impacted components by updating the OpenSSL version in our cloud Orchestration and cloud Storage.   

What steps do customers need to take to remediate the vulnerability? 
There is no action needed by EMC Syncplicity Personal Edition, Business Edition, and Enterprise Edition cloud storage customers to remediate this vulnerability.  Enterprise Edition on-premise storage account administrators are advised to patch their on-premise compute servers. EMC recommends the following steps:

  1. If you leverage SSL-offloading load balancers (a recommended Syncplicity Best Practice) should contact their load balancer vendor for guidance on applying necessary patches if they have not notified you already  
  1. If you expose your compute servers directly to the Internet or leverage non-SSL offloading load balancers you are advised to SSH into each node and issue the "sudo yum update" command to install the patched version of OpenSSL. Please reboot the compute servers after installing the patch. 

What additional measures is Syncplicity recommending to reduce the risk associated with this vulnerability?
While Syncplicity does not have additional recommendations at this time, customers are advised to conduct their own risk assessment based on their specific on-premise configuration and take necessary precautions.

 

Powered by Zendesk