Except the most recent version of Desktop Central (build 90000), no other ManageEngine product is vulnerable to the Heartbleed bug.

By now, you’ve probably been swamped by numerous advisories from various vendors on the ‘Heartbleed bug,’ and now, here comes one from ManageEngine. However, you can take heart: all but one of our ​products are immune to the Heartbleed bug. Except the most recent version of Desktop Central build 90000, no other ManageEngine product is vulnerable.

The ​Heartbleed bug, the flaw in OpenSSL’s TLS implementation, is perhaps the biggest vulnerability in Internet history and has​ sent panic waves throughout IT and consumer communities alike. Naturally, you should be concerned,  and we want to reassure you. To that end, here are the details.

ManageEngine products are not vulnerable to the Heartbleed bug because: 

  • ManageEngine products do not use OpenSSL libraries. At the most, some products come with SSL certificates generated using OpenSSL. The Heartbleed bug only affects TLS connections that enable Heartbeats, not other parts of OpenSSL such as key generation, certificate signing, generating digests, random bytes generation, etc.
  • The underlying modules of our products use ​Tomcat web servers where BIO and NIO connectors are used.  These connectors use JSSE SSL whereas the APR/native connector uses OpenSSL.  Our products’ underlying modules do not use the APR/native connector.

Bottom line, you need not worry about the security of ​the data you store in ManageEngine products. 

Heartbleed and ManageEngine: A Quick Summary

At the risk of being redundant, we hereby confirm that — except the most recent version of Desktop Central (build 90000) — no other ManageEngine product is vulnerable to the Heartbleed bug. And in the case of Desktop Central, all prior versions are NOT vulnerable.

Advisory for Desktop Central v 90000 Users 

  • Details: https://forums.manageengine.com/topic/heartbleed-vulnerability-desktop-central-security-advisory
  • Steps to fix the vulnerability: http://www.manageengine.com/products/desktop-central/heartbleed-fix.html?forum

Posts from Individual Products 

Visit the ​ManageEngine PitStop forums to see the posts from various ManageEngine product teams ​and read about their perspectives on the Heartbleed bug.

General Information

If you are wondering what this Heartbleed bug is all about, this is for you:

It’s a bug in OpenSSL’s TLS implementation, a software library used to secure the transmission of private information. The bug is actually a memory leak exploit that can potentially lead to the exposure of server keys and could help hackers reach the private computer memory handled by OpenSSL, paving the way ​to the theft of private information. It is indeed a very serious vulnerability.

How to diagnose if your systems are vulnerable:

To diagnose if your systems are vulnerable to the Heartbleed bug, please refer to this external post.

How to fix systems that are vulnerable to Heartbleed:

If you find any of your systems vulnerable to the Heartbleed bug, the steps typically involved in fixing a system include:

  1. Patching vulnerable systems with OpenSSL 1.0.1g
  2. Regenerating new private keys
  3. Submitting new CSR to your CA
  4. Obtaining and install new signed certificate
  5. Revoking old certificates

We reassure you that you are quite safe with ManageEngine and don’t need to worry about the Heartbleed bug. Regardless, if you would like any assistance or clarifications, please do ​write to our support teams.

Thanks,
Bala