Barracuda Link Balancer makes use of the popular OpenSSL cryptographic software library for the management UI (only when using HTTPS). The versions of OpenSSL shipped with Barracuda Link Balancer in 2.5.x release may be vulnerable to the above mentioned security advisory (see below).
The certificate information for the management UI may have leaked due to this vulnerability. The VPN functionality of the product is not affected by this vulnerability.
- Ensure that all your Barracuda Link Balancer units that use HTTPS for the management UI are updated with the secdef. This happens automatically unless you have changed the default settings.
- The secdef would not apply automatically, if Automatic Updates under Security Definition Updates was set to Off. In this case you can chose to apply the secdef manually.
- After applying the secdef, on the ADVANCED::Secure Administration page in the section SSL Certificate Configuration, do not use the “Default ( Barracuda Networks) “ SSL certificate any longer (if you were indeed using it). Instead, create a new certificate for Secure Administration, refer to the online help for details
- If you created a Private (Self-Signed) or Trusted (Signed by a Trusted CA) certificate for the management UI, make sure to also replace these on ADVANCED::Secure Administration page after the upgrade.
- Ensure that all admin password(s) are renewed.