KB Article #175930

Heartbleed OpenSSL Vulnerability (CVE-2014-0160) not affecting any of the SecureTransport versions

Problem

Is SecureTransport's OpenSSL implementation vulnerable to the "Heartbleed Bug" (CVE-2014-0160)?

Resolution

All SecureTransport versions are NOT vulnerable to CVE-2014-0160 (or to the so-called "Heartbleed Bug"), which has recently been found in OpenSSL - more about the vulnerability http://heartbleed.com/. Axway's official news update regarding all Axway products can be found here.


SecureTransport 5.1.x   -   the OpenSSL implementation has not been compiled with Heartbeat support which can be seen by the below example, executed against it (for the test to work, make sure you are executing the commands with the latest version of OpenSSL - 1.0.1g 7 Apr 2014):

#openssl s_client -connect host:port

#press "B" (without the quotes)
 
---
B
HEARTBEATING
139673825290112:error:1413B16D:SSL routines:SSL_F_TLS1_HEARTBEAT:peer does not accept heartbearts:t1_lib.c:2540:
--

SecureTransport 5.2.x   -   ST do not use OpenSSL but SunJCE version 1.7 libraries. (SecureTransport 5.2.x does ship with an OpenSSL binary and libraries, but the version of those is 0.9.8e, which is not affected.)

NOTE: Any previous versions of the software (before ST 5.1.x) are also NOT vulnerable to this particular vulnerability.

In addition, there are external sources that could verify if a particular site is affected by the Heartbleed Bug: http://filippo.io/Heartbleed/

IMPORTANT NOTE: Please note that http://filippo.io/Heartbleed/ is a 3rd party website and as such Axway holds no ownership nor responsibility for any information provided by http://filippo.io/Heartbleed/.