Heartbleed is a bug in OpenSSL 1.0.1 and 1.0.2 beta dealing with support of the TLS Heartbeat extension. This bug, which has caused information to leak from an Internet server, has been estimated to affect up to two-thirds of web servers. It allows information from server memory to leak to an attacker, possibly compromising server keys, passwords and other valuable information. Since OpenSSL is a widely-used encryption library, it has affected major Internet providers such as Google, Yahoo, Facebook, and many more. It has been confirmed that the vulnerability has been in place and available for hackers to exploit for an unknown amount of time (up to two years).
Before you start changing all your passwords, it’s important to know how different companies are addressing the issue. If a company’s server is at risk, but it hasn’t patched the site yet, a password change won’t be useful until the patch is applied.
Our Response at Dimensional Insight
Upon hearing about the issue, the Dimensional Insight operations team, which runs our InterReport BI Software-as-a-Service (SaaS) hosted deployments and other infrastructure, immediately reviewed our servers and determined that we are not running the affected version of OpenSSL on any of our servers. We also identified that DivePort running on a regular Tomcat web server would not use OpenSSL, and that encrypted DiveLine is not affected by the bug.
The only configuration of our software that we identified that may be an issue would be a Tomcat configured to use the “Tomcat Native Connector”. This is not the default option for Tomcat, and requires some configuration to work properly. Installations performed by Dimensional Insight Customer Support would not be using this feature. It would also depend on which version of OpenSSL is in use on the system.
Customers with questions about Heartbleed or any other security issues should feel free to contact Dimensional Insight Customer Support. We will continue to ensure that our software and services are protected.
In addition, now is a good time to remind your users about good security practices. Use strong passwords, do not reuse the same password for multiple Internet services, install security updates, and be careful about opening (and especially running!) attachments in emails.
Post by Stan Zanarotti