You are here
OpenSSL Heartbleed Vulnerability
Last update on 10. April 2014 - 7:32.
A critical OpenSSL vulnerability called 'Heartbleed Bug' has been discovered [1]. Affected OpenSSL versions are 1.0.1 through 1.0.1f. Therefore Airlock versions 4.2.5 up to 4.2.6.2 and 5.0, are affected. Airlock versions 4.2.4 and older are not affected.
The vulnerability affects the implementation of the heartbeat extension (RFC6520) in OpenSSL. It allows a remote attacker to read the memory of the system running the vulnerable version of OpenSSL, potentially exposing secret key material and other data.
The vulnerability is fixed in the newest version 1.0.1g of OpenSSL, which is included in the following Airlock hotfixes:
Airlock Version | Hotfix HF4220 HF5001 |
Due to the exceptional severity of the Heartbleed vulnerability, we decided to provide a hotfix for the older and unsupported 4.2.5 releases as well. Note that this is an exception and solely based on goodwill. Customers are not entitled to hotfixes and updates for releases outside the supported release window. It is strongly recommended to keep installations updated with current releases and hotfixes available on the download page!
| Airlock Version 4.2.5, 4.2.5.1 | Hotfix HF4221 |
What to do
The Heartbleed vulnerability potentially exposed internal Apache weblistener memory. Therefore, we recommend to renew the server private keys and certificates after installing the Airlock hotfix.