I would add that you must change your password IF you used a website
that used the vulnerable OpenSSL version AND you visited that site
between April 6th and whenever that site was patched.

I stopped using HTTPS sites until I could test them and verify that they
were clear. Sure, there is an outside chance that your credentials were
compromised during the window that would be from whenever the 1.0.1
version was installed on the site until it was patched, but if your
credentials were leaked a while ago, there is really no reason why a
hacker wouldn't have already used them and/or monetized them already.
IOW - changing your password now would already be too late if the site
had been "secretly" been scraped over the past two years. Your personal
info is already on the net.

So I would stick to that original statement: Make sure you change the
password if you had visited the site while the exploit was public and
before it was fixed. But, it also pays to be paranoid and good secure
websites force you to regularly change the password in any case so go
ahead and change it....

Pete Helgren
GIAC Secure Software Programmer-Java

On 4/14/2014 2:38 PM, Steinmetz, Paul wrote:
Previously, we stated that if running OpenSSL 0.9.8, we were safe.
However, there was additional info in "The Four Hundred" dated 4/14, that states there are additional issues resolved by multiple PTFs.


"That leaves us the unexpected news. While the Heartbleed vulnerability doesn't impact the IBM i utilities package because it is running an older version of OpenSSL, other recently discovered OpenSSL vulnerabilities do impact IBM i. According to Watkins, IBM is currently working on a patch for CVE-2014-0076, or the "FLUSH+RELOAD Cache Side-channel Attack," which was disclosed March 25. You will want to keep an eye out for the PTF when it's ready.

In the last week, IBM has patched several other recently disclosed OpenSSL vulnerabilities that do impact the IBM i utility. CVE-2013-0169, or the "Lucky Thirteen" flaw, was addressed by IBM with PTFs SI49896, SI49904, and SI49867. CVE-2013-0166, a signature verification flaw, was addressed with SI49896, SI49904, and SI49867. To view PTF cover sheets and other related information on security patches for IBM i, go to the Preventive Service Planning webpage. You will probably want to apply these patches pronto. You will also want to make sure your other IBM products (WebSphere, Apache Web server, Notes/Domino) aren't impacted as well.

Several other recently disclosed OpenSSL vulnerabilities that don't impact the IBM i OpenSSL utility package include CVE-2013-4353, CVE-2013-6450, CVE-2013-6449, and CVE-2012-2686.

IBM isn't the only software vendor to use OpenSSL, of course, and there are several IBM i products that may also be affected by the Heartbleed flaw, but they don't appear to be in widespread use. This includes a client for a Subversion change management system from the Russian software company Banking Technologies and Consulting, and the old firewall from Stonesoft (now part of McAfee. There are undoubtedly others.

Townsend Security does use OpenSSL in its Alliance Key Manager solution, but it doesn't use a version that is affected by Heartbleed, CEO Patrick Townsend tells IT Jungle. "Townsend Security does NOT use OpenSSL in any of our IBM i products," Townsend says. The company's complete statement on the Heartbleed vulnerability can be read here.

Similarly, Linoma Software, which provides encryption and MFT software for IBM i, also doesn't use OpenSSL. Instead it relies on the JSSE implementation of SSL/TLS for encrypted sessions. You can read Linoma's take on the matter here.

Now's the fun part: Time to go change all your passwords! If you have any questions about which websites are particularly susceptible, check out the free Heartbleed vulnerability test website, www.ssllabs.com, which was set up by Qualys."

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren
Sent: Thursday, April 10, 2014 8:56 AM
To: Midrange Systems Technical Discussion
Subject: Re: OpenSSL Vulnerability Notice

If that is an SSH connection, you aren't vulnerable. SSH only uses the OpenSSL library for cryptography...the TLS portion of OpenSSL is what uses the "heartbeat" and has the problem. So, SSH (say puTTY using SSH) isn't vulnerable....

Pete Helgren
GIAC Secure Software Programmer-Java

On 4/9/2014 6:10 PM, Jerry Draper wrote:
When I connect to a server using OpenSSL I get this response when the
command line switch is set to -vvv:

OpenSSH_4.7p1, OpenSSL 0.9.8y 5 Feb 2013

Is this my client version or the version of the server?



This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.

This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page