Release Notes

Hotfix 973112

McAfee ePolicy Orchestrator

Contents

About this release

Resolved issues

Installation instructions

Additional information

Find product documentation

About this release

This document contains important information about the McAfee ePolicy Orchestrator (McAfee ePOTM)
release. We strongly recommend that you read the entire document.
Release date June 10, 2014
Release build HF973112
This release was developed for use with:
o

McAfee ePO 4.6 (build 1029)

McAfee ePO 4.6 Patch 1 (build 1192)

McAfee ePO 4.6 Patch 2 (build 234)

McAfee ePO 4.6 Patch 3 (build 197)

McAfee ePO 4.6 Patch 4 (build 202)

McAfee ePO 4.6 Patch 5 (build 168)

McAfee ePO 4.6 Patch 6 (build 176)

McAfee ePO 4.6 Patch 7 (build 278)

McAfee ePO 4.6 Patch 8 (build 112)

McAfee ePO 5.0.0 (build 1160)

McAfee ePO 5.0.1 (build 228)

McAfee ePO 5.1.0 (build 509)

All remote Agent Handlers for these builds

Rating
Mandatory McAfee requires this release for all environments. This update must be applied
immediately to avoid a potential security breach, and to maintain a viable and supported product.
For more information about patch ratings, see McAfee KnowledgeBase article KB51560.

Resolved issues
This hotfix resolves the following issues. For a list of issues fixed in earlier releases, see the Release
Notes for the specific release.

Issue
An attacker using a carefully crafted handshake can force the use of weak keying material in
OpenSSL SSL/TLS clients and servers. This can be exploited by a man-in-the-middle (MITM) attack
where the attacker can decrypt and modify traffic from the attacked client and server.
o

CVE-2014-0224

CERT/CC Vulnerability Note VU#978508

McAfee Security Bulletin SB10075

Versions of OpenSSL affected:

o

OpenSSL 0.9.8a-y

OpenSSL 1.0.0a-l

OpenSSL 1.0.1a-g

Versions of OpenSSL that are not affected:

o

OpenSSL 0.9.8za

OpenSSL 1.0.0m

1.0.1e-13 (MLOS2)

OpenSSL 1.0.1h

Resolution
This hotfix replaces all OpenSSL and Apache files used by McAfee ePO that are affected by this
vulnerability.

Installation instructions
For information about installing or upgrading ePolicy Orchestrator, see the McAfee ePolicy Orchestrator
Installation Guide.
Before proceeding with the upgrade process, see McAfee KnowledgeBase article KB71825 for important
steps to take before upgrading (KB76739 for McAfee ePO 5.0.0 and later).

NOTE:
There are now separate installers for McAfee ePO 4.6.x (ePOHF973112_4x.exe) and McAfee ePO 5.x
(ePOHF973112_5x.exe). Use the appropriate installer for your McAfee ePO server and remote Agent
Handlers, if any.
If you install the hotfix, then upgrade to another affected version of McAfee ePO, you must reapply
the hotfix.

Requirements
Make sure that your system meets these requirements before installing the software.

You must have McAfee ePO 4.6 or later installed.

NOTE:
This hotfix updates all McAfee ePO versions previously listed.

This hotfix must be installed on the McAfee ePO server, and any remote Agent Handlers where
the ssleay32.dll file version is not 1.0.1.8 or later. See below for more information.

FIPS 140-2 installations of McAfee ePO are NOT vulnerable. These updates will not install in FIPS
mode.

Install the software on McAfee ePO and remote Agent Handlers

Follow these steps to install this hotfix.
Task
1
Extract the contents of ePOHF973112.zip.
2

Run the appropriate (4.x or 5.x) ePOHF973112_*x.exe and follow the on-screen instructions.

Install the software on McAfee ePO server clusters

Follow these steps to install this hotfix in your cluster environment.
Task
1
Before beginning the installation process:
a.

Close all connections (open consoles, either remote or local) to the McAfee ePO server.

b.

The hotfix must be installed on the node where the first installation of McAfee ePO was
performed, and that node must be the Active node.
i. Shut down all passive nodes. Although this is optional, we highly recommend this
step to ensure that the installation is isolated to the active node.
ii. Use the Failover Cluster Manager to take the following McAfee ePO services offline:
1. Apache
2. Event Parser
3. Tomcat

Copy the ePOHF973112.zip file to a temporary folder on the node where the first installation of
McAfee ePO was performed.

Extract the contents of ePOHF973112.zip.

Locate the appropriate ePOHF973112_*x.exe file for your version of McAfee ePO.

Run the appropriate ePOHF973112_*x.exe and follow the instructions in the InstallShield
wizard.
i. When the installation is finished, use the Failover Cluster Manager to bring these
McAfee ePO services online:
1. Apache
2. Event Parser
3. Tomcat

Verify hotfix installation

Follow these steps to ensure that the hotfix was installed correctly.
Task
1
Go to the McAfee ePO or Agent Handler installation folder:
a.

McAfee ePO installation directory: <ePO Install folder>\Apache2\bin

b.

Remote Agent Handler installation directory: <AH Install folder>\apache\bin

Right-click ssleay32.dll, then select Properties.

Select the Details tab, and make sure the file version is 1.0.1.8 and the product version is
1.0.1h.

Additional information
Important
The attached files are provided as is, and with no warranty either expressed or implied as to their
suitability for any particular use or purpose. McAfee, Inc. assumes no liability for damages incurred
either directly or indirectly as a result of the use of these files, including but not limited to the loss
or damage of data or systems, loss of business or revenue, or incidental damages arising from
their use. Hotfix files should be applied only on the advice of McAfee Technical Support, and only
when you are actually experiencing the issue being addressed by the hotfix. Hotfix files should not
be proactively applied in order to prevent potential product issues. You are responsible for reading
and following all instructions for preparation, configuration, and installation of hotfix files. Hotfix
files are not a substitute or replacement for product Service Packs which may be released by
McAfee, Inc. It is a violation of your software license agreement to distribute or share these files
with any other person or entity without written permission from McAfee, Inc. Further, posting of
McAfee hotfix files to publicly available Internet sites is prohibited. McAfee, Inc. reserves the right
to refuse distribution of hotfix files to any company or person guilty of unlawful distribution of
McAfee software products. Questions or issues with McAfee hotfix files should be directed to McAfee
Technical Support.

Find product documentation

After a product is released, information about the product is entered into the McAfee online Knowledge
Center.
Task
1
Go to the McAfee ServicePortal at http://mysupport.mcafee.com and click Knowledge Center.
2

Enter a product name, select a version, then click Search to display a list of documents.

Copyright 2014 McAfee, Inc. Do not copy without permission.

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United
States and other countries. Other names and brands may be claimed as the property of others.
00-A