The main Cisco products now clearly evaluated as "vulnerable" are the Cisco AnyConnect Secure Mobility Client for iOS, Cisco IOS XE, the Cisco UCS B-Series (Blade) Servers, Cisco UCS C-Series (Standalone Rack Servers), Cisco Unified Communication Manager 10.0, Cisco Desktop Collaboration Experience DX650, Cisco TelePresence Video Communication Server, and three versions of Cisco IP phones.
But some Cisco IP phones have already been determined to be not vulnerable. Many other Cisco products are also not vulnerable, including Cisco Wireless LAN Controller, and the Cisco Web Security Appliance, the Cisco Content Management Appliance, Cisco e-mail security appliance.
Still under investigation is Cisco IOS, Cisco Identity Service Engine, and Cisco Secure Access Control Server, Cisco Cloud Web Security, and Cisco Catalyst 6500 Series and Cisco 7600 Series Firewall Services Module, plus dozens of others. Cisco will be continuously updating these lists based on known determinations of vulnerability, with any fixes needed for Heartbleed suggested in the future.
Juniper didn't provide a spokesperson to discuss Heartbleed, but issued a statement saying, "The Juniper Networks Security Incident Response Team (SIRT) is aware of the OpenSSL vulnerability impacting the industry and is working round the clock on fixes to address potential risks to some Juniper products."
Juniper notes it has published an advisory, which lists several vulnerable products, including those based on Junos OS 13.3R1, and Odyssey client 5.6r5 and later. Also vulnerable to Heartbleed Bug issues are the Juniper SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later. Some products are listed as "fixed."
Products listed as "not vulnerable" include Junos OS 13.2 and earlier, non-FIPS version of Network Connect clients not vulnerable, and SSL VPN (IVEOS) 7.3, 7.2 and 7.1. Several other network and security products are also listed as "not vulnerable." Other Juniper products listed as under investigation, including Stand Alone IDP, ADC and WL-Series (SmartPass).
In addition to this wide range of network gear impacted by the Heartbleed Bug, some versions of the Android operating system also appear to be subject to Heartbleed, according to mobile security vendor Lookout Security.
Marc Rogers, principal security researcher at Lookout, says so far the security firm has determined that the vulnerable versions of Google Android include only versions 4.1.1 and 4.2.2. The current version of Android 4.5 is not impacted, according to Lookout, likely because the feature causing all the Heartbleed commotion in OpenSSL was not enabled. Lookout has created a tool to let mobile-device users test for vulnerability to Heartbleed.
An Android fix for Heartbleed is something Lookout says it can't provide but should come from the Android open-source project, which manufacturers of Android-based phones would be expected to deliver. It's hard to come up with a definitive list of impacted Android mobile devices because Android itself has become so fragmented, Rogers concluded.
Sign up for Computerworld eNewsletters.