SSL issue with Hivemanager NG On-Premise (CVE-2016-2107)

  • 1
  • Question
  • Updated 7 months ago
We have been using multiple Hivemanager NG On-Premise VM's for the past 9+ months.

We also use Qualys SSL Labs Testing to ensure our web facing machines are secure.

My problem is that even with the latest v11.26.0.29 Hivemanager NG Version, the Qualys test still state that the Hivemanager is vulnerable to CVE-2016-2107

Is this a 'real issue' and regardless, why has this not been addressed in any of the 2017 updates??

Photo of Tony de Raat

Tony de Raat

  • 3 Posts
  • 0 Reply Likes

Posted 7 months ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Tony,

I would suggest emailing security@aerohive.com for clarification.

Thanks,

Nick
Photo of Tony de Raat

Tony de Raat

  • 3 Posts
  • 0 Reply Likes
Thanks Nick

Unfortunately this e-mail address appears to be a  >> /dev/null as I have not received any responses to any of my e-mails which is why I posted on HiveNation.

And before anyone suggests it, when I try to make a support ticket about this issue, it gets closed with the response 'contact security@aerohive.com'

I am certain that this openSSL vulnerability may not actually be a 'real world' issue, but I would (as would our customers) have something 'official' from Aerohive.

Me
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Tony,

Sorry about this. That is the expected process. Could you resend your email, please?

Regards,

Nick
(Edited)
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Tony (and any lurkers reading this thread),
Please forgive us. As partial explanation but not excusing or delay in responding, we were a little distracted with KRACK last week.

I just found your original email to us from last week and replied, and for the other folks here, I am pasting much of that response here:

"Thank you for contacting the Aerohive security incident response team. Please forgive us, we misplaced your email and have now failed our target service level agreement of acknowledging all incoming requests within 1 working day of receipt. In general we request 5 working days to review the report and formulate our response. In this case I will make sure that we get this reviewed and a final response is on it’s way back to you before the end of this week.

My very preliminary review of this CVE and my knowledge of HiveManager NG make me feel that your actual risk of exploit is very small. The NIST CVSS score for this was only 2.6 or LOW. Performing a padding-oracle attack is very difficult to do outside of labs or strictly controlled environments, and large amounts of data are needed to be exchanged between the victim client and server before the attacker can start recovering cleartext data, and the attacker will also have to be in the data path between your client browser and the HiveManager NG server. If your Hivemanager NG is only accessed locally or from within the same datacenter where it resides, then attacks are very unlikely.

Nevertheless, we will address this in a future version of HiveManager NG to close off any remaining vulnerability."

And finally, for any cloud-based HiveManager NG users wondering about their own exposure to this, please rest assured that cloud-va.aerohive.com gets an A+ from the Qualys scanner.