MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » April 2014

Re: OpenSSL Vulnerability Notice



fixed

More info at http://heartbleed.com/. Writeup at
https://www.schneier.com/blog/archives/2014/04/heartbleed.html.

"leak memory of transactions and possibly decrypt the encrypted data",
while correct, understates the severity of the problem. The vulnerability
allows random 64K chunks of web server memory to be return to the
attacker. The attacker can make multiple requests to get more of the
memory space. Testing has shown the random chunks to include keys,
certificates, user names, passwords, password hints, and other data.

The vulnerability was introduced in 1.0.1 so the 0.9.8 version is safe. Do
not upgrade unless it's to 1.0.1g (or later).



On Wed, Apr 9, 2014 at 9:10 AM, Steinmetz, Paul <PSteinmetz@xxxxxxxxxx>wrote:

Has anyone seen and/or dealt with this issue.
We just received this from one of our 3rd party software vendors

"Several news carriers have alerted the public of a vulnerability found
recently in OpenSSL. OpenSSL is an open-source version of the basic
encryption functions for computer security standards. Certain
client-facing CommSoft web applications require the use of Apache, which
uses OpenSSL. You might also have other applications (non-CommSoft) which
use OpenSSL, so you should be certain to check those as well.

The vulnerability is being referred to as the Heartbleed Bug. It allows
an attacker to leak memory of transactions and possibly decrypt the
encrypted data. Reports indicate that the vulnerability is found version
V1.0.1 and subsequent subversions (a) through (f).

It is recommended that you perform your own research on this matter as
during my review of material I have found conflicting information as to
versions, the extent of the vulnerability, and corrective/preventative
action.

To determine the version of OpenSSL being used in Apache:
Open a DOS prompt on the production Apache web server. Navigate to the
BIN directory and type:

openssl.exe version

Hit enter.

If the version is 0.9 or earlier, the Heartbleed Bug has not been found in
these versions.
If your version is listed in one of the V1.0.1 versions listed above, you
will need an OpenSSL update.

To download the appropriate update, go to Openssl.org and follow the
instructions or you can contact CommSoft Client Support to assist in this
matter. "


Thank You
_____
Paul Steinmetz
IBM i Systems Administrator

Pencor Services, Inc.
462 Delaware Ave
Palmerton Pa 18071

610-826-9117 work
610-826-9188 fax
610-349-0913 cell
610-377-6012 home

psteinmetz@xxxxxxxxxx
http://www.pencor.com/

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.









Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact