Just yesterday (April 7, 2014), OpenSSL – a popular SSL, TLS, and cryptographic library – disclosed a vulnerability that has been nicknamed “Heartbleed”. The vulnerability takes advantage of a defect that's in the handling of the TLS heartbeat extension (hence where the name Heartbleed came from) causing a buffer over-read which allows an attacker to read up to 64k of memory at a time. The site (link above) provides a great description of the issue. Based on the extensive coverage this has garnered over the last day, its clear to see this is a serious vulnerability. We have investigated and determined that neither WebSphere Application Server (including IBM HTTP Server) nor WebSphere Commerce are affected by this issue.
See the official WebSphere Application Server Flash here and our own WebSphere Commerce Flash here for statements regarding the Heartbleed vulnerability.
In my last post, Stay ahead of the attackers, I described how to keep up to date with Security Bulletins for vulnerabilities that affect IBM products. I also mentioned that it's important to stay on watch for newly reported vulnerabilities for the rest of your environment's stack. This vulnerability helps prove that there are many possible entry points for an attacker, and it's important to try and stay on top of all of them.