Heartbleed Bug affecting Weblogic websphere apache & other middleware application / web servers ?
So we all are hearing various news about Heartbleed Bug, so let’s see which of our middleware application servers are affected by this:
Here is an brief review of the Bug -CVE-2014-0160:
“OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. An attacker can repeatedly expose additional 64k chunks of memory. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. An exploit can only partially affect the confidentially, but not integrity or availability..”
openSSL versions affected:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable to CVE-2014-0160
- OpenSSL 1.0.1g is NOT vulnerable to CVE-2014-0160
- OpenSSL 1.0.0 branch is NOT vulnerable to CVE-2014-0160
- OpenSSL 0.9.8 branch is NOT vulnerable to CVE-2014-0160
- OpenSSL 0.9.7 branch is NOT vulnerable to CVE-2014-0160
Source: http://heartbleed.com/ – refer this link for more info
Here is what i gathered from various resource:
- IBM Websphere & IHS servers: IBM WebSphere Application Server and IBM HTTP Server are not vulnerable to CVE-2014-0160 Heartbleed vulnerability – http://www-01.ibm.com/support/docview.wss?&uid=swg21669774
- OpenSSL Security Bug-Heartbleed (Doc ID 1645479.1) – https://support.oracle.com/epmos/faces/DocumentDisplay?id=1645479.1 for oracle products affected by bug – Weblogic/OHS/iPlanet are not affected.
Affected :
- Most affected product is apache/nginkx web server which uses mod_ssl module (based on openSSL), Other webservers like IHS/OHS/iPlanet etc do not use apache’s mod_ssl & have custom SSL modules which are not affected by heartbleed
- Also if your application is using server’s openSSL which is affected due to this then it needs remdiation
Remediation:
If we found any instance with this bug, following remediation needs to be taken
- Upgrade to OpenSSL 1.0.1g Update your web server (Apache, nginx) using OpenSSL 1.0.1g.
- If this is not possible customers can recompile OpenSSL with the handshake removed from the code by compile time option
–DOPENSSL_NO_HEARTBEATS
. - Please consult your server administrators with regards to updating or recompiling OpenSSL.
- OpenSSL 1.0.1g is now available here, including bug and security fixes
- If this is not possible customers can recompile OpenSSL with the handshake removed from the code by compile time option
- As a safety measure it is highly advisable to replace the web server certificate after the OpenSSL upgrade.
- NOTE: Do not revoke your current certificate until the new replacement certificate is installed.
- Create a new private key & Certificate Signing Request (CSR).
NOTE: Do not reuse the existing private key & Certificate Signing Request (CSR).
Source: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD831
Below illustration is from http://xkcd.com/1354/ for an better understanding of the bug: