OpenSSL Heartbleed vulnerability with CVE id CVE-2014-0160

Dear CafeX Customers and partners:

CafeX software does not incorporate a version of the OpenSSL package affected by the Heartbleed vulnerability.  

Issue Description: 
OpenSSL Heartbleed vulnerability is characterized by CVE ID: CVE-2014-0160 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160). The vulnerability has to do with the implementation of the TLS heartbeat extension (RFC6520). This problem could allow secret key or private information leakage in TLS encrypted communications. For more detailed information, visit the the CERT vulnerability note (http://www.kb.cert.org/vuls/id/720951) or http://heartbleed.com.

OpenSSL versions 1.0.1 through 1.0.1f have contain the issue. OpenSSL has confirmed the vulnerability and has released a fix and now that fix has to be deployed (https://www.openssl.org/news/secadv_20140407.txt). Functional code that exploits this vulnerability is available as part of the Metasploit framework.
 
"The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The attacker could then send a specially-crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords."

CafeX Software, Server and Solution components:
CafeX software (Mobile Advisor) includes a version of OpenSSL. This version of OpenSSL does not contain the Heartbleed vulnerability. As such Fusion Application Server (FAS) and the applications residing upon (Web Gateway, Palettes, Live Assist) are not subject to the issue. Media Broker does not use OpenSSL for encryption for server control communications to and from the Web Gateway. 
 
The JBoss repository containing the OpenSSL library, CafeX ships as part of Fusion Application Server was updated in Feb 2012. The declared included version predates the introduction of the vulnerability. For more specific detail, you may refer to the RedHat advisory. (https://access.redhat.com/site/announcements/781953

Fusion Client SDK for iOS & Android
The CafeX client libraries ship with a version of OpenSSL that is affected by the heart bleed bug. However, our use of the OpenSSL library on these platforms is limited to internal use and is not used to make or receive SSL connections. In these cases, the underlying native encryption libraries are used. 

iOS does not use OpenSSL and therefore iOS clients are not subject to the Heartbleed vulnerability.
 
Android 4.1 onwards includes OpenSSL. All versions except 4.1.1 have SSL heartbeats disabled. As such Android 4.1.1 is effected by heart bleed bug (about 10% of Android devices) while other versions are not. (See Google blog posthttp://googleonlinesecurity.blogspot.co.uk/2014/04/google-services-updated-to-address.html)

Browser WebRTC clients
Neither Google Chrome or Mozilla Firefox are affected by the heart bleed bug per their advisories http://googleonlinesecurity.blogspot.co.uk/2014/04/google-services-updated-to-address.html and http://blog.mozilla.org/security/2014/04/08/heartbleed-security-advisory/. 

Reverse Proxies used in CafeX architectures:
As a reverse proxy is deployed and required with the CafeX's Web Gateway or Palettes Server, this may also contribute to risk. F5 BIG-IP does not use OpenSSL and is therefore not affected by the heart bleed bug. Open source reverse proxy implementations such as Apache HTTPD or Nginx depends OpenSSL versions 1.0.1 through 1.01f. It is likely installs built in the last two years will include a version of OpenSSL affected by the heart bleed bug and should be patched. Nginx provide a useful guidehttp://nginx.com/blog/nginx-and-the-heartbleed-vulnerability/ on verification. 

Cisco Systems response:
In addition, Cisco maintains an Cisco Event Response Page with details and network mitigations about the vulnerability. (http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=33695). Cisco has released a security advisory at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed. Cisco has also released a blog post to address the vulnerability relating to Cisco products at the following link: http://blogs.cisco.com/security/openssl-heartbleed-vulnerability-cve-2014-0160-cisco-products-and-mitigations/

If you require further information please contact support@cafex.com.

 

Have more questions? Submit a request

Comments

Powered by Zendesk