Take Heart, ManageEngine Products Are Not Vulnerable to The Heartbleed Bug
By now, you've probably been swamped by numerous advisories from various vendors on the ‘Heartbleed bug,’ and now, here comes one from ManageEngine. However, you can take heart: all but one of our products are immune to the Heartbleed bug. Except the most recent version of Desktop Central build 90000, no other ManageEngine product is vulnerable.
The Heartbleed bug, the flaw in OpenSSL's TLS implementation, is perhaps the biggest vulnerability in Internet history and has sent panic waves throughout IT and consumer communities alike. Naturally, you should be concerned, and we want to reassure you. To that end, here are the details.ManageEngine products are not vulnerable to the Heartbleed bug because:
- ManageEngine products do not use OpenSSL libraries. At the most, some products come with SSL certificates generated using OpenSSL. The Heartbleed bug only affects TLS connections that enable Heartbeats, not other parts of OpenSSL such as key generation, certificate signing, generating digests, random bytes generation, etc.
- The underlying modules of our products use Tomcat web servers where BIO and NIO connectors are used. These connectors use JSSE SSL whereas the APR/native connector uses OpenSSL. Our products' underlying modules do not use the APR/native connector.
- Details: https://forums.manageengine.com/topic/heartbleed-vulnerability-desktop-central-security-advisory
- Steps to fix the vulnerability: http://www.manageengine.com/products/desktop-central/heartbleed-fix.html?forum
General Information
If you are wondering what this Heartbleed bug is all about, this is for you:
It's a bug in OpenSSL's TLS implementation, a software library used to secure the transmission of private information. The bug is actually a memory leak exploit that can potentially lead to the exposure of server keys and could help hackers reach the private computer memory handled by OpenSSL, paving the way to the theft of private information. It is indeed a very serious vulnerability.How to diagnose if your systems are vulnerable:To diagnose if your systems are vulnerable to the Heartbleed bug, please refer to this external post.
How to fix systems that are vulnerable to Heartbleed:If you find any of your systems vulnerable to the Heartbleed bug, the steps typically involved in fixing a system include:- Patching vulnerable systems with OpenSSL 1.0.1g
- Regenerating new private keys
- Submitting new CSR to your CA
- Obtaining and install new signed certificate
- Revoking old certificates
We reassure you that you are quite safe with ManageEngine and don't need to worry about the Heartbleed bug. Regardless, if you would like any assistance or clarifications, please do write to our support teams.
Thanks, Bala
Comments