XAP and the Heartbleed Vulnerability

The Heartbleed security vulnerability (CVE-2014-0160) was in the news this week. It’s being described as one of the biggest threats in the Internet’s history. The good news is that it can’t affect any of XAP’s products.

Heartbleed is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f. It is called the “heartbleed” bug because it occurs in the heartbeat extension for OpenSSL. This vulnerability allows the attacker to read up to 64KB of heap memory from the victim without any privileged information or credentials. In short, OpenSSL’s heartbeat processing functions use an attacker controlled length for copying data into heartbeat responses. This allows attackers to eavesdrop [on] communications, steal data directly from services and users, and to impersonate services and users.

After going over all of our infrastructure devices and servers, which include both Windows and Linux servers, XAP has confirmed that we do not employ OpenSSL codes anywhere in any of our servers. The only devices which have OpenSSL implemented are the load balancers, and their Open SSL version is 0.9.7e, which is immune from this vulnerability.

XAP is proud to declare that we are NOT AFFECTED by CVE-2014-0160.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s