You are here

OpenSSL Heartbleed Vulnerability

IDs: 
CVE-2014-0160, CVE-2014-0346
Keywords: 
OpenSSL, Heartbleed
Description: 

A critical OpenSSL vulnerability called 'Heartbleed Bug' has been discovered [1]. Affected OpenSSL versions are 1.0.1 through 1.0.1f. Therefore Airlock versions 4.2.5 up to 4.2.6.2 and 5.0, are affected. Airlock versions 4.2.4 and older are not affected.

The vulnerability affects the implementation of the heartbeat extension (RFC6520) in OpenSSL. It allows a remote attacker to read the memory of the system running the vulnerable version of OpenSSL, potentially exposing secret key material and other data. 

Resolution: 

The vulnerability is fixed in the newest version 1.0.1g of OpenSSL, which is included in the following Airlock hotfixes:

Airlock Version
4.2.6, 4.2.6.1, 4.2.6.2
5.0

Hotfix
HF4220
HF5001

Due to the exceptional severity of the Heartbleed vulnerability, we decided to provide a hotfix for the older and unsupported 4.2.5 releases as well. Note that this is an exception and solely based on goodwill. Customers are not entitled to hotfixes and updates for releases outside the supported release window. It is strongly recommended to keep installations updated with current releases and hotfixes available on the download page!

Airlock Version
4.2.5, 4.2.5.1
Hotfix
HF4221

What to do

The Heartbleed vulnerability potentially exposed internal Apache weblistener memory. Therefore, we recommend to renew the server private keys and certificates after installing the Airlock hotfix.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock