The Heartbleed security vulnerability (CVE-2014-0160) was in the news this week. It’s being described as one of the biggest threats in the Internet’s history. The good news is that it can’t affect any of XAP’s products.
Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f. It is called the “heartbleed” bug because it occurs in the heartbeat extension for OpenSSL. This vulnerability allows the attacker to read up to 64KB of heap memory from the victim without any privileged information or credentials. In short, OpenSSL’s heartbeat processing functions use an attacker controlled length for copying data into heartbeat responses. This allows attackers to eavesdrop [on] communications, steal data directly from services and users, and to impersonate services and users.
After going over all of our infrastructure devices and servers, which include both Windows and Linux servers, XAP has confirmed that we do not employ OpenSSL codes anywhere in any of our servers. The only devices which have OpenSSL implemented are the load balancers, and their Open SSL version is 0.9.7e, which is immune from this vulnerability.
XAP is proud to declare that we are NOT AFFECTED by CVE-2014-0160.