CVE-2014-0160 (The Heartbleed Bug)

April 9, 2014

A critical security issue with OpenSSL was recently discovered which could allow hackers to gain access to confidential data over an encrypted connection. CVE-2014-0160 (aka "The Heartbleed Bug") affects all servers using OpenSSL 1.0.1-1.0.1f and is addressed in 1.0.1g. More information on this problem can be found here: http://heartbleed.com/.

This is a very serious vulnerability and affected systems should be patched immediately.

Affected systems

If you are providing access to Cascade Server over HTTPS, please review the following to see if your environment may be vulnerable:

  • You are running Cascade Server behind Apache HTTP with SSL where OpenSSL is providing SSL support. If you are using Apache HTTP in a Linux environment, you are very likely using OpenSSL and you should check the version to see if you’re vulnerable.
  • You are running Cascade Server over Tomcat’s SSL and are using the native APR libraries (not common) in a Linux environment with OpenSSL installed. In this case, OpenSSL is providing the SSL support and you should check the version to see if you’re vulnerable.

Tomcat over SSL (running without the native APR libraries) is not vulnerable to this threat. We do not ship our installer packages with native APR flags set, so installation and use of this library would have been performed independently of Cascade Server. To confirm that you are not using the native APR libraries, check your most recent catalina.log file (in tomcat/logs) and look for the following message on start-up:

INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path:{path}

If you are running Tomcat over SSL and that message appears, you are not vulnerable.

The following link provides a web based test to see if your site is vulnerable: http://filippo.io/Heartbleed/

Data that could be compromised

This issue does not affect Cascade Server itself, but the environment in which you are hosting the application may be affected.

That said, sensitive Cascade Server data like user passwords could have been compromised.

It is also possible that an attacker could have gained access to the private keys of your SSL certificate which would allow them to spoof your certificate and create their own SSL-encrypted website using your certificate. We are reissuing our SSL certificates as a precautionary step and your organization may want to consider doing the same.

Determining your OpenSSL version

To check the version of OpenSSL you are running, run the following from the command line: openssl version

If you are running OpenSSL 1.0.1-1.0.1f you are vulnerable.

For more information about which specific versions are and are not vulnerable, refer to the “What versions of the OpenSSL are affected?” section of the Heartbleed site.

Patching OpenSSL

Clients running affected OpenSSL versions should update to 1.0.1g or later on the server that is providing SSL support and immediately and restart Apache HTTP and Tomcat.

In many systems this is as simple as running: yum upgrade openssl or an equivalent using whichever package manager is installed in your version of Linux.

Scope of the problem

This is a widespread problem not limited to Cascade Server. If you are running other applications over SSL in Linux environments using OpenSSL, we highly recommend you check the version of OpenSSL and patch your systems accordingly or let your systems administrators do so.

Please post on these forums if you have any further questions.

Thanks