KB - OpenSSL and BASIS Products
Publicity about the Heartbleed bug has led some to ask if running BASIS products makes their organization vulnerable to OpenSSL socket exploits. This KB outlines the extent to which BBj and (V)PRO/5 make use of OpenSSL in socket communications.
Testing indicates that using the 64-bit Windows ODBC Driver, installed with BBj version 13.13 or earlier, to connect to a remote BBj Services server over the Internet poses a small security risk. As a safeguard, BASIS recommends that users of the 64-bit Windows ODBC Driver upgrade to the 64-bit Windows ODBC Driver installed with BBj 13.14 to avoid even this small risk. For full details, see Windows ODBC Driver Vulnerability below.
BBj Vulnerability: None
BBj uses the Java implementation of some of the encryption algorithms that OpenSSL implements. BBj does not use OpenSSL libraries nor does BBj use OpenSSL socket connections, which is where the Heartbleed vulnerability is reported to exist. Customers using OpenSSL for any type of secure socket connections should address the Heartbleed vulnerability immediately, but BBj itself is not affected by Heartbleed.
(V)PRO/5 Vulnerability: None
While (V)PRO/5 uses OpenSSL libraries for secure sockets, it is not impacted by the Heartbleed bug because it ships with OpenSSL version 0.9.7d - a version that is unaffected by this bug.
Windows ODBC Driver Vulnerability: 64-bit Vulnerable
While the 32-bit Windows ODBC Driver shipped with BBj is not affected by Heartbleed, the 64-bit Windows ODBC Driver does use OpenSSL version 1.0.1c, which is vulnerable.
Using versions of BBj’s 64-bit Windows ODBC Driver earlier than BBj 13.14 to connect to a remote BBj Services server over the Internet poses a small risk of security breach. Such an attack would be difficult to accomplish unless the client or the server was using a very insecure Internet connection such as a public WiFi hotspot. As a safeguard, BASIS recommends upgrading to BBj 13.14’s new 64-bit Windows ODBC Driver to avoid even this small risk. If you are unable to upgrade to BBj 13.14 at this time, download and install the new driver as instructed in Heartbleed Fix for 64-bit Windows ODBC Driver.