A security scan gives the following Failure Report. When I try to install the update I get a message that the update is not compatible with the Operating System. Does anyone have experience installing an update or is it possible to disable OpenSSL provided the WebApp does not require it to run?
THREAT:
OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a
full-strength general purpose cryptography library. For more details about the detection please refer to the Qualys community article
heartbleed-detection-update (https://community.qualys.com/blogs/qualys-tech/2014/04/09/heartbleed-detection-update).
OpenSSL is exposed to a security vulnerability due to a missing bounds check in the handling of the TLS heartbeat extension.
Affected Versions:
OpenSSL 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1
PLEASE NOTE:
This QID will be reported as possible vulnerability (YELLOW) if it was triggered because the target host has a vulnerable OpenSSL banner.
This QID will be reports as confirmed vulnerability (RED) if the target responds to the SSL heartbeat request in a vulnerable fashion (irrespective of
the OpenSSL banner).
IMPACT:
The vulnerabilities can be exploited by malicious users to reveal up to 64kB of memory to a connected client or server that may aid in launching
further attacks.
SOLUTION:
Update to Version 1.0.1g to resolve this issue. The latest version is available for download fromOpenSSL Web site (http://www.openssl.org/source/).