SSL – The Heartbleed Bug

A new vulnerability in OpenSSL libraries has been discovered

The vulnerability is also known as The Heartbleed Bug. More about it can be found here.

If you are deploying IntraWeb applications as Services or Stand Alone servers and you are using HTTPS/SSL, you must update your OpenSSL libraries (see vulnerable versions below). Of course, this is not needed if you are deploying as ISAPI or ASPX Library.

We already updated our links and they point to newer OpenSSL libraries, which fix this vulnerability. You can download new OpenSSL libraries here.

If you suspect that your application using old, vulnerable, OpenSSL libraries has been compromised you may also:

  • Generate new certificates for your application
  • Generate new credentials for all your users

Read more about recovery from a possible attack in the topic “What is leaked primary key material and how to recover?” in the document pointed by the first link.

Not all OpenSSL versions are vulnerable:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable