OpenSSL Heartbleed (CVE-2014-0160)

Last update: 4 August 2017

OpenSSL Heartbleed (CVE-2014-0160)

Summary

This is an information regarding a security issue in the OpenSSL library.

Notice: This is an urgency released article. Further information may be added, therefore please re-check for information updates.

Information

A severe programming error has been identified in the OpenSSL library, which affects the most recent versions of the OpenSSL library. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

More information can be found at:

Solution

If you use SSL on your server for any service we strongly suggest that you make sure your server is not vulnerable, and if it is vulnerable that you apply the fixes which have already been provided by most operating system vendors.

The OpenSSL library is used in a wide range of Fabasoft products as well, including Fabasoft Folio, Fabasoft eGov-Suite, Fabasoft Mindbreeze and Fabasoft app.telemetry.

Fabasoft Folio / Fabasoft eGov-Suite

The IMAP Server functionality in the following Fabasoft Folio versions may be affected (both Microsoft Windows and Linux):

  • Fabasoft Folio 2012 Fall Release
  • Fabasoft Folio 2013 Winter Release (fixed with Update Rollup 1 for Fabasoft Folio 2013 Winter Release)
  • Fabasoft eGov-Suite 2013 (fixed with Update Rollup 1 for Fabasoft eGov-Suite 2013)
  • Fabasoft Folio 2013 Spring Release
  • Fabasoft Folio 2013 Summer Release
  • Fabasoft Folio 2013 Fall Release
  • Fabasoft Folio 2014 Winter Release (fixed with Update Rollup 1 for Fabasoft Folio 2014 Winter Release)
  • Fabasoft Folio 2014 Spring Release

If you use Fabasoft IMAP Server in one of these listed versions, please contact Fabasoft Support to request a hotfix with an updated OpenSSL library.

Also other parts of Fabasoft Folio / Fabasoft eGov-Suite are using OpenSSL statically or included in a Fabasoft binary, but only for internal service communication, not for communication between users and Fabasoft Folio / Fabasoft eGov-Suite. Therefore the risk of the OpenSSL security issue is much lower in this area. Hotfixes with an updated OpenSSL library are available as listed above.

Fabasoft products potentially affected by a vulnerable operating system's OpenSSL library

Fabasoft products and components installed on Linux operating systems are using the OpenSSL library of the operating system:

  • Fabasoft Folio and eGov-Suite Services running on Apache webserver with SSL (Web services, Conversion services, and so on)
  • Mindbreeze Enterprise Search Client Services and Management
  • Fabasoft app.telemetry Server
  • Fabasoft app.telemetry Agent

Fabasoft suggests to update all affected operating systems to the latest OpenSSL library. Fabasoft products installed under Microsoft Windows use the unaffected Microsoft SSL implementation.

Applies to

  • Fabasoft Folio 2012 Fall Release
  • Fabasoft Folio 2013 Winter Release
  • Fabasoft eGov-Suite 2013
  • Fabasoft Folio 2013 Spring Release
  • Fabasoft Folio 2013 Summer Release
  • Fabasoft Folio 2013 Fall Release
  • Fabasoft Folio 2014 Winter Release
  • Fabasoft Folio 2014 Spring Release