OpenSSL HeartBleed Bug
Quick confirmations:
1. Default Tomcat/JRE, bundled with WebNMS are NOT vulnerable to this bug.
2. Hence WebNMS 5.0 / 5.0SP1 / 5.2 / 5.2SP1 (& EMS/NMS applications over 5.x) are not affected
3. If you had used OpenSSL 1.0.1 - 1.0.1f for your SSL communication in 4.7.x WebNMS, then your service is affected.
4. If you had been using Tomcat's APR implementation (chances are very remote), then your EMS/NMS application is vulnerable to this bug.
In detail...
Hope you are aware of the Heart bleed bug.
Heartbleed vulnerability, the serious flaw in OpenSSL's TLS implementation is perhaps the biggest vulnerability in internet history and has sent panic waves. Naturally, you would be very much concerned and we are sure you would want to hear from us on its impact on WebNMS
If you are wondering what this Heartbleed bug is all about, this is for you: It's a bug in OpenSSL's TLS implementation, a software library used to secure the transmission of private information. It is actually a memory leak exploit that can potentially lead to expose of server keys and could help hackers reach the private computer memory handled by OpenSSL, paving way to the theft of private information. It is indeed a very serious vulnerability.
The good news: WebNMS is NOT vulnerable to Heartbleed due to the following reasons:
- WebNMS do not use apache at all and hence does not make use of OpenSSL libraries.
- WebNMS use Tomcat web server alone which use JSSE SSL
(Only the APR/native connector which is not at all enabled in default Tomcat bundled with WebNMS uses OpenSSL)
Other Details:
Who is mainly affected?
If your EMS/NMS application is using Apache which uses OpenSSL (1.0.1-1.0.1f) for SSL communication, you have a chance to get affected.
OpenSSL 1.0.1g/1.0.0x/0.9.8x branches are NOT vulnerable
How to know whether my EMS/NMS application is affected?
Enter your URL (should be available to public) at this website to know whether your service is vulnerable.
How can OpenSSL be fixed?
Even though the actual code fix may appear trivial, OpenSSL team is the expert in fixing it properly so fixed version 1.0.1g or newer should be used. If this is not possible software developers can recompile OpenSSL with the handshake removed from the code by compile time option -DOPENSSL_NO_HEARTBEATS.
Can I detect if someone has exploited this against me?
Exploitation of this bug leaves no traces of anything abnormal happening to the logs.
Where I can get more details about this bug.
Please read the single-page website - http://heartbleed.com
Loading User Profile...