LegalSEC® - Cybersecurity

 View Only

OpenSSL Heartbleed: Vendor Updates

By Peggy Wechsler posted 04-12-2014 16:56

  

Heartbleed is a security vulnerability in OpenSSL, which is software used to protect and encrypt sensitive information. The vulnerability lets a hacker access the memory of servers where sensitive information can reside. According to Netcraft, 500,000 Web sites could be affected, which puts user's sensitive personal data -- including usernames, passwords, and credit card information -- at risk of being intercepted. The OpenSSL vulnerability also extends to the potential theft of a server's digital keys that are normally used to encrypt communications and thus an attacker could get access to a company's secret internal documents.

ILTA is asking our vendor community to post comments below stating if their systems are affected and if so, what actions are being taken to protect against this breach.

NOTE:  Please put the name of your company in UPPER CASE at the beginning of your comment.

36 comments
837 views

Permalink

Comments

04-21-2014 17:55

CDW
The recently publicized “Heartbleed” SSL/TLS bug has received a tremendous amount of media coverage and, deservedly, a significant amount of concern amongst the IT security community. Rather than rehash the same information that has been shared repeatedly, I would like to offer some philosophical commentary, concise guidance, and additional resources to the IT community as a whole.
Read the rest and learn what you can do in the aftermath of this virus from CDW expert Sadik Al-Abdulla: http://cdw.io/KTm26d

04-21-2014 16:37

ESQUIRE INNOVATIONS, INC., a BigHand company
Esquire Innovations is aware of the vulnerability in OpenSSL (Heartbleed Bug). We can confirm that we do not utilize OpenSSL, therefore are not affected by the potential vulnerability.

04-18-2014 13:30

THOMSON REUTERS
Thomson Reuters is aware of the widely reported ‘Heartbleed’ vulnerability impacting certain versions of the OpenSSL web encryption program. The vast majority of our business applications do not rely on OpenSSL for web encryption and do not have exposure to this vulnerability.
Thomson Reuters takes the privacy and security of our customers’ information very seriously, and we are working to indentify and remediate any servers which may be impacted by an unsecured version of OpenSSL.
At this time, customers do not need to take any action unless otherwise notified.
As part of our assessment and remediation efforts we will continue our vigilant monitoring programs to protect our customers’ information, and continue to provide updates as appropriate.

04-18-2014 12:25

WORLDOX
Worldox is not affected by the Heartbleed security vulnerability in OpenSLL

04-17-2014 18:15

BIGHAND
At BigHand we are aware of the vulnerability in OpenSSL that is being widely described in news reports as the “Heartbleed Bug”. We can confirm that we do not use OpenSSL, and at no stage were our applications vulnerable to this issue. This applies to our Professional, Enterprise and mobile applications.

04-17-2014 15:14

CONTACTEASE www.contactease.com
ContactEase is not impacted by the Heartbleed security vulnerability. Our web add-on components (such as Mobile Solutions, Mailing List Manager, Change Tracker, Online Update and RSVP Forms) are required to be installed on IIS web servers, which do not by default rely on OpenSSL.
We still recommend that you check with your hosting provider or IT professionals to ensure your servers are not using OpenSSL. For more information about Heartbleed and what you should do, read our Heartbleed blog post http://ow.ly/vTMhK

04-16-2014 16:08

HOTDOCS
HotDocs is not affected directly, since
1) No HotDocs Software relies directly on OpenSSL libraries or code.
2) HotDocs Server is always deployed on Windows-based servers, where OpenSSL is not present by default.
3) HotDocs Server is typically deployed in combination with the IIS web server, which does not (by default) rely on OpenSSL.
4) HotDocs Server is often deployed behind firewalls, where HeartBleed attacks are not likely to be as prevalent anyway.
5) HotDocs Cloud Services is public-facing, but again has no reliance on OpenSSL and is therefore not vulnerable to the HeartBleed bug.
The only potential vulnerability we’re aware of would be IF someone deployed HotDocs Server on a public-facing Windows server (i.e. a server not otherwise protected from public attack behind a firewall) that was running a web server besides IIS (such as Apache), configured to use HTTPS via Windows-based OpenSSL. In this case, it is the web server software on that machine that (so long as it remains unpatched) may be vulnerable to the HeartBleed bug; in this case, it would be possible for HotDocs-related data (answer collections, etc.) to be among the data that is exposed to a potential attacker.
In summary, we do not believe that the HeartBleed vulnerability affects HotDocs directly, and it is unlikely to impact our customers’ use of HotDocs except as in the relatively uncommon situation outlined above.
For more information, visit the HotDocs blog:
http://www.hotdocs.com/blog/hotdocs-not-directly-affected-heartbleed

04-15-2014 21:57

INTEGREON
If you’ve been reading or watching the news in the last week, you have likely heard about the Heartbleed bug. This bug exposes usernames, passwords and other similarly sensitive information on the network – allowing unauthorized users to potentially access online identities and exacerbating the risk of faux websites posing as real ones (i.e. phishing) or “Man in the Middle” attacks (often leading to data theft). The vulnerability in question has been present in OpenSSL code for almost two years. Only just identified last week, companies are now obligated to review their own infrastructure and identify potential areas of weakness or concern for their customers.

At Integreon, we performed this internal audit last week and have verified that our systems do not utilize the technologies or configurations which would make them susceptible to the Heartbleed security flaw. More specifically, since we do not use Apache on our servers (i.e. Apache web servers use OpenSSL, the vulnerable component), we were not affected, but as a precaution scans were run on all our external facing servers. No evidence was found that any of our client systems have been impacted as a result of the Heartbleed vulnerability.

In general, as part of our ISO certification, we have external penetration testing performed at least once a year by a third party vendor. To further ensure the compliance of external facing sites, we utilize various industry standard security applications – SSLdigger, Digicert and nMap are the ones we employed to scan for the Heartbleed issue.

SSLDigger helps Integreon to comply with regulatory and industry encryption standards, including for example HIPAA and VISA’s Cardholder Information Security Program (CISP). It also provides limited support for Server Gated Cryptography (SGC), which is particularly helpful for financial services institutions with customers across the globe. This tool provides additional information to us as well while interpreting the results and letter grade.

We also use Digicert, the provider of our SSL certificates, to check for issues. Digicert not only checks for the Heartbleed vulnerability, but it checks for other weaknesses too.

Finally, our web servers are scanned utilizing nMap which probes computer networks in a number of ways, including for host discovery and service and operating system detection.

All of our servers scored Grade “A” with the Digicert and SSLdigger utilities and passed the varied scans of nMap too. In addition to the aforementioned scans, we ran Cisco phone scans as well and verified that any company issued Android phones are not using the impacted OS version (4.1.1). Our company issued iPhones and Windows Phones have not been impacted.

As the news regarding Heartbleed is still developing, we will continue to stay informed, investigate and remain proactive in our response and preparedness. Securing our client’s data has always been a top priority for us and we will continue to look for areas of concern and update our clients as and if more information becomes available.

04-15-2014 15:26

OPENTEXT
OpenText is aware of and has been carefully monitoring the recent news surrounding the Heartbleed bug. This bug exploits a vulnerability in OpenSSL software, and is an Internet-wide issue that impacts hundreds of thousands of systems.
To help reduce the risk to our customers, OpenText has proactively reviewed all of our services to assess the potential impact of the issue described in CVE-2014-0160 (the Heartbleed bug). We have completed a technical risk assessment and any vulnerable systems have been remediated, with hotfixes applied.
At OpenText, we are committed to ensuring the security and privacy of our customers’ information. As such, we will safeguard our customers' information by continuing to evaluate our software products and taking immediate action to reduce any potential risks associated with the Heartbleed bug.

04-15-2014 11:31

LEVIT & JAMES, INC.
We would like to assure all of our customers that none of our applications are web-based, and therefore do not employ OpenSSL. Additionally, neither the Levit & James website nor our firewall employs OpenSSL. As a result, all indications are that our site has not been affected by the Heartbleed vulnerability.

04-15-2014 11:14

PROSPEROWARE
A serious vulnerability in the OpenSSL software library used to secure network communications for many websites was recently discovered by security researchers, who have named the bug Heartbleed.
• All of Prosperoware’s products run on Microsoft’s Internet Information Services (IIS) platform, which does not use OpenSSL. As a result, NO PROSPEROWARE product is affected by the Heartbleed bug.
• If you are using any third-party tools such as a reverse proxy in conjunction with Milan or Zone, please contact the appropriate vendors to confirm whether their software is affected by Heartbleed.
• Zendesk, the company that hosts our support site, has issued a statement outlining the company’s response to the vulnerability. While we have no reason to believe that any user data has been compromised, we would strongly suggest changing your password the next time you log in to the website.

04-15-2014 10:16

LEXISNEXIS
Important Information for LexisNexis Legal & Professional Customers regarding a vulnerability in OpenSSL cryptographic software.
On Tuesday, April 8, 2014, a vulnerability was publicly disclosed by the OpenSSL Project (please see the references below for additional information) and was also publicized by the media. This vulnerability affects specific versions of OpenSSL, a cryptographic library that is used to secure confidential data in transit over the Internet. This vulnerability has been referred to as "Heartbleed".
LexisNexis Legal & Professional has conducted a vulnerability assessment and has confirmed that the following products that you may use are not affected by the vulnerability:
lexis.com®
nexis.com®
Lexis Advance®
Risk Management Page
LexisNexis® Publisher
LexisNexis® Courtlink
LexisNexis® atVantage
All products that use www.lexisnexis.com as a signin page

04-15-2014 08:57

HELIENT SYSTEMS LLC
In terms of key infrastructure, here are some statements regarding the Heartbleed vulnerability:
Citrix Products - http://bit.ly/1g8OQlv
**Vulnerable - XenMobile (in certain situations)
VMware Products - http://bit.ly/1no9Ea8
**27 patches, by 4/19 - including vCenter Server 5.5 and ESXi 5.5
Kemp & F5 Load Balancers - http://bit.ly/1ktlLmk

04-15-2014 05:24

WORKSHARE
Workshare is pleased to confirm that customers are not affected and no breaches resulting from HeartBleed have been identified.
For customers of our desktop products, Workshare Professional, Compare and Protect: none of these applications are affected whatsoever.
For customers using Workshare's online file sharing and collaboration services: the Workshare team became aware of this risk on Wednesday 9th April and took urgent precautionary measures to ensure the security of all our customer¹s data is maintained. No breaches were identified, and security patches to all servers were applied immediately. All server SSL keys were renewed and, as a further precautionary measure, all open sessions with Workshare were expired, meaning everyone was required to log back in.
Matthew Brown - VP Product Management

04-15-2014 03:35

VUTURE
‘The Vuture platform and client data not affected by the recent Heartbleed security bug’ says Vuture CTO, Tufan Unal.
In response to the HEARTBLEED situation, Chief Technology Officer, Tufan Unal, recently confirmed:
‘The Vuture platform and client data held in our cloud hosting infrastructure is unaffected by the recent Heartbleed software bug. Our systems do not use the affected OpenSSL software.’
Vuture are advising clients that if they require any further information regarding this issue to contact their account manager.
For Vuture's full press release and contact information to discuss further see:
http://vutu.re/news/heartbleedbugrelease.aspx

04-14-2014 19:30

DAEGIS
Daegis Edge hosted eDiscovery and Daegis AXS-One Archive are unaffected by the Heartbleed security bug. We do not use OpenSSL, or any other open source components to secure our software. We take our client’s security seriously and that is why Daegis is ISO 27001:2005 Certified for Information Security Management. ISO/IEC 27001:2005 certification is an internationally recognized best practice for information security. We have controls in place that exceed industry standards and are audited annually by independent auditors to ensure we are in compliance.
We have thoroughly assessed our hosting infrastructure to make sure none of its components are affected by Heartbleed. No vulnerabilities have been found—we are Heartbleed free, software and hardware.
We contacted all of our clients last week, within days of the Heartbleed announcement, to assure them their data continues to remain private and secure when hosted in Daegis Edge and stored in the Daegis AXS-One Archive.

04-14-2014 17:38

DIGITAL DEFENSE
Mike Cotton, Chief Security Architect at Digital Defense, Inc., a security risk assessment provider, offers insight on the Heartbleed Bug:
Q: Why is the Heartbleed bug considered to be such a serious threat?
A: The technology affected by the Heartbleed flaw, OpenSSL, is a cornerstone technology of secure communications on the internet. It is embedded into thousands of software packages and network devices; all of which will need to be either updated; or taken offline.
While early media reports of the flaw tended to focus on OpenSSL usage in the Linux operating system, the truth is that the embedding of OpenSSL into both network devices and windows software packages may present a more immediate threat for a typical business user. Companies such as Cisco / F5 / McAfee / Juniper / SonicWall and countless other are now coming forward and listing affected products.

The nature of the SSL heartbleed flaw is that it allows retrieval of sensitive information and credentials that have been used in the past on any affected system. These could be VPN credentials allowing access from the internet into your internal network, or credentials customers use to login to a home-banking site. Anything credentials that have been used in the past on an affected system must now be considered suspect. The same goes for private emails sent to an affected mail relay or any other sensitive information.
Learn more: http://www.ddifrontline.com/company/news/2014/04/u7620/Test-Your-Risk-for-the-Heartbleed-Bug

04-14-2014 16:26

KIERSTED SYSTEMS
We are very pleased to report that none of the web sites or portals that Kiersted operates use the OpenSSL software library, nor do they use the operating systems for which OpenSSL is designed; as a result none of our services are vulnerable to this threat. Kiersted prides itself on its high level of commitment to stringent standards of security. We continue to actively monitor this situation. If you have any additional questions for Kiersted regarding this issue, please address them to: Heartbleed@kiersted.com

04-14-2014 15:44

PAYNEGROUP is happy to share that our products are not affected by Heartbleed.

04-14-2014 14:23

WINSCRIBE is happy to report that none of our applications are affected by the "Heartbleed" vulnerability. Winscribe software does not use OpenSSL.

04-14-2014 14:19

DOCAUTO
After thorough testing, DocAuto is happy to announce our applications, internal administration systems, and hosted systems provided by third parties were unaffected by Heartbleed. Customers can continue to safely use DocAuto applications and be assured that information stored by DocAuto is secure.

04-14-2014 13:53

DTI dtiglobal.com
DTI actively monitors its systems for security threats and after a careful assessment the company confirmed that it is not vulnerable to the Heartbleed OpenSSL security threat. DTI management considers the security and privacy of client information to be of the highest priority. DTI goes to great lengths in order to protect the confidentiality, integrity and availability of these assets. Its data security and privacy standards are among the industry’s best.
DTI wants to create awareness about the vulnerability and encourage people to review their individual sites and systems for exposure. For more information, please visit the following website: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160.

04-14-2014 12:49

iTimeKeep not affected by HeartBleed vulnerability
As reported in the news this week, a major bug nick-named HeartBleed was reported in OpenSSL, the open source cryptographic library used by many websites around the world to protect your information as it is transmitted over the internet. The HeartBleed bug impacted an estimated 2/3rds of all websites so Bellefield reacted quickly to ensure your data stayed safe. For a good technical explanation of the HeartBleed bug we recommend reading this article: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html

After learning about this vulnerability we quickly performed and assessment of our infrastructure and determined that none of it was affected by HeartBleed.

It is good news that iTimeKeep customers are safe, and rest assured, it is even better news to know that you have the expertise of the whole Bellefield team behind you to make sure your attorneys continue to enjoy secure and uninterrupted mobile time entry even during these challenging times.

We treat security with the highest priority and remain committed to ensuring the ongoing safety of your data meets our high expectations. If you have any questions, don't hesitate to email us at support@bellefield.com with your questions.
Thank you,
The Bellefield Team

04-14-2014 12:32

NETDOCUMENTS
NetDocuments wishes to inform our users that the NetDocuments US Service does not currently have such exposure, because the particular OpenSSL library is not deployed in our production datacenter.
The NetDocuments UK Service, however did deploy the OpenSSL libraries. We have already patched this library and have replaced our SSL certificates world-wide.
NetDocuments Service will continue to monitor and manage our security infrastructure to ensure that all hosted documents and communications are safe.

04-14-2014 12:02

HANDSHAKE SOFTWARE:
Handshake Software products are not subject to the Heartbleed exploit in any configuration of which we are aware. By default IIS and therefore Handshake Software products do not use OpenSSL which was the attack surface that Heartbleed exploited. Please read this link for part of Microsoft’s official response:
http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
You can read more about Handshake Software and the Heartbleed vulnerability here: http://bit.ly/1qWP8xr

04-14-2014 11:36

COREBTS - SEE RELATED LINK ABOVE FOR HEARTBLEED WEBINAR
Many of you may have already heard of “Heartbleed” – in the past 24 hours, the issue has gone mainstream, with every major news outlet reporting on this vulnerability. CoreBTS understands the potential impact to our clients. Please keep in mind this is a very dynamic situation, with new information being reported nearly every hour. Our goal is to arm you with information to help combat this situation. INFORMATION WILL BE PROVIDED VIA EMAIL TO ALL MEMBER LAW FIRMS:
FOR LOCAL PRESENCE - NEW YORK CITY/FIVE BOROUGH/LONG ISLAND MEMBER LAW FIRMS:
If you'd like to receive information via email, please feel free to contact Sherri Blum @ Sherri.Blum@corebts.com or call (631) 982-4786
http://www.corebts.com/heartbleed/

04-14-2014 11:04

COREBTS RECOMMENDATIONS -
 If possible, patch your systems to remediate this issue. Check vendor mailing lists to see if and when vendors will be releasing specific updates. For large vendors, this will likely be addressed quickly, smaller vendors are likely to be slower to react.
 Where possible, systems/applications that can be segmented on an internal network should be (e.g. - VMWare management consoles, "lights out" management)
 Perform checks on your systems using: https://www.ssllabs.com/ssltest/ or http://filippo.io/Heartbleed/
 If you have an IDS/IPS/SIEM, a properly positioned IDS/IPS/sensor configured with rule-sets can detect HeartBleed exploit attempts and will assist in detecting active attacks.
 For Cisco IPS - Cisco IPS written for the vulnerability are 4187/0 and 4187/1 which are included as part of Cisco IPS Signature Update Package S785
 For SourceFire/Snort - Sourcefire Snort SIDs for this vulnerability are 30510 through 30517
 If impacted, replace your certificates.
 Consider changing passwords, and/or forcing a password change for your users.
INFORMATION IS AVAILABLE TO ALL MEMBER LAW FIRMS.
FOR A LOCAL PRESENSE: N.Y.C./FIVE BOROUGH/LONG ISLAND MEMBER LAW FIRMS:
For a Vulnerability Assessment, please contact Sherri Blum @ sherri.blum@corebts.com or phone (631) 982-4786
http://www.corebts.com/heartbleed/

04-14-2014 10:44

PHOENIX BUSINESS SOLUTIONS
There is a potential vulnerability to users of the Phoenix Worksite to SitePoint Publishing tool, release 1.1.3 or below, for which revised SSL certificates will be issued by HighQ today. We are pleased to confirm that all other Phoenix developed products remain unaffected.
For users of HP WorkSite, the Heartbleed vulnerability in OpenSSL can only affect WorkSite Server 9.0 Update 4 and 9.0 SP1 if you are using WorkSite Anywhere. If you are running Worksite Server 9.0 Update 4 and 9.0 SP1 and NOT using Worksite Anywhere there is no impact from this vulnerability. HP Autonomy have released a quick update to address this vulnerability. The update, named as CSAR-1692, contains a new build of imDmsSvr.exe and imDmssvc.pdb. Due to the seriousness of this Vulnerability, Phoenix recommend an emergency deployment of this update, if using the affected versions. The patch can be downloaded by following this link:
https://cms.hpflowcm.com/public.html#public/doc/77AxXbmY9-0JK541jmmVmjGc01H85KNoc4ZWg1E_mAk .
Please note that WorkSite Web is not affected because IIS does not utilise OpenSSL.
For more information on The Heartbleed Bug – http://heartbleed.com/
To test a URL or Hostname for Vulnerability – http://filippo.io/Heartbleed/
If you would like to discuss this in more detail, then please contact Support@phoenixbs.com.

04-14-2014 10:31

SECURELINK
www.securelink.com
SecureLink servers and Gatekeepers are not affected by this vulnerability.
SecureLink servers use OpenSSL library version 0.9.8e, which is not on the list of affected OpenSSL versions.

04-14-2014 09:52

CHROME RIVER TECHNOLOGIES
www.chromeriver.com
------------------------------------
As previously posted to our customers directly through the online Chrome River Help Desk notifications:
With the news and attention growing related to the Heartbleed Bug which is a vulnerability in the popular OpenSSL cryptographic software, we wanted to communicate to our customers that this appears to have no effect on Chrome River servers. The architecture of the Chrome River system has the majority of servers terminating internally at the load balancer which are not using OpenSSL and therefore were not affected at all by this security issue. We have also fully analyzed all of our externally accessible servers and determined that all of these were using unaffected versions of OpenSSL. Regardless, we have updated these servers with the fix already as well anyway. Further, all of our internally accessible servers have received the same update as well.
We fully recognize that data security is of utmost importance and wanted to share our findings with you so that you may reassure others if there are any concerns.
-Chrome River

04-14-2014 09:42

BILLBLAST
www.bill-blast.com
BillBLAST is pleased to announce that our customers are not affected by the Heartbleed vulnerability. This vulnerability is specific to OpenSSL and compromises the security mechanisms used to safely encrypt and transmit data across the internet. Fortunately, Heartbleed does not affect BillBLAST because BillBLAST Architecture does not depend on OpenSSL. BillBLAST is a Microsoft Partner utilizing the Windows Azure Technology Platforms. The Windows Azure components used by BillBLAST also do not use OpenSSL. "Microsoft Account and Microsoft Azure, along with most Microsoft Services, were not impacted by the OpenSSL vulnerability", says the software giant. "Windows' implementation of SSL/TLS was also not impacted. Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections", adds the company. "Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability". For any further questions related to BillBLAST, please contact support@bill-blast.com.

04-14-2014 09:17

RANDY STEERE LLC
rsteere.com
We are happy to report that none of our products are affected by the "heartbleed" vulnerability.
Randy Steere

04-14-2014 09:05

HIGHQ
highq.com
HighQ was partially affected by the "Heartbleed" vulnerability. All affected services were fully patched last week. We will be changing affected certificates today. For information, please see this update:
http://highq.com/handled-heartbleed-openssl-issue-ongoing-efforts/

04-13-2014 18:42

DOCSCORP www.docscorp.com
DocsCorp is pleased to confirm that none of its applications are affected by Heartbleed. Further, an audit of all DocsCorp internal administration systems and hosted administration systems provided by third parties are also unaffected by this issue. DocsCorp customers can safely continue to use its software applications and be assured that their company and contact information stored by DocsCorp is secure.
Dean Sappey
President - DocsCorp

04-12-2014 20:54

CERT is maintaining a current list of affected major manufacturers with links to each of their respective security releases. Check back frequently as the site is updated throughout the day.
http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4
You can test any URL or hostname for the Heartbleed vulnerability at the sites below. Careful though. A successful test today, doesn't mean the site wasn't previously affected.
https://www.ssllabs.com/ssltest/
http://filippo.io/Heartbleed/
For those security conscious organizations, you can check a site's certificate issuance date. Certificates issued since April 7 won't be at risk of having been compromised earlier via the Heartbleed bug.

04-12-2014 18:51

MICROSOFT - please refer to the following blog posts for information about Microsoft services status relative to the Heartbleed vulnerability:
http://blogs.technet.com/b/security/archive/2014/04/10/microsoft-devices-and-services-and-the-openssl-heartbleed-vulnerability.aspx
http://blogs.msdn.com/b/windowsazure/archive/2014/04/09/information-on-microsoft-azure-and-heartbleed.aspx
http://blogs.msdn.com/b/securitytipstalk/archive/2014/04/10/heartbleed-what-you-need-to-know.aspx
For any future Internet safety or security concerns, please refer to the Microsoft Internet Safety & Security Center:
http://www.microsoft.com/security/default.aspx