This blog promotes knowledge sharing through experience and collaboration. For more product information, visit our WebSphere Commerce CSE page. For easier navigation, utilize the Categories to find posts that match your interest.
Hardening Site Security – Is Websphere Commerce affected by “Heartbleed”?
Just yesterday (April 7, 2014), OpenSSL – a popular SSL, TLS, and cryptographic library – disclosed a vulnerability that has been nicknamed “Heartbleed”. The vulnerability takes advantage of a defect that's in the handling of the TLS heartbeat extension (hence where the name Heartbleed came from) causing a buffer over-read which allows an attacker to read up to 64k of memory at a time. The site (link above) provides a great description of the issue. Based on the extensive coverage this has garnered over the last day, its clear to see this is a serious vulnerability. We have investigated and determined that neither WebSphere Application Server (including IBM HTTP Server) nor WebSphere Commerce are affected by this issue.
In my last post, Stay ahead of the attackers, I described how to keep up to date with Security Bulletins for vulnerabilities that affect IBM products. I also mentioned that it's important to stay on watch for newly reported vulnerabilities for the rest of your environment's stack. This vulnerability helps prove that there are many possible entry points for an attacker, and it's important to try and stay on top of all of them.