How we addressed Heartbleed

heartbleed
Heartbleed
Since announced publicly on April 7, the Heartbleed (also known as CVE-2014-0160) bug has caused quite a stir in IT circles. Some 60-70% of web-based applications are suspected to be, or have been, at risk. The furor has even called into question the code quality of open source software (which is actually better then proprietary software overall (ref: here). We reacted quickly to the news about Heartbleed and determined that all currently shipping and supported versions of EM7 are not vulnerable. 

Where is SSL used in EM7?  It’s used between the collectors and the CDB in conjunction with MySQL (both CU and MC components).  As with a lot of open source software, there are a number of variants that allow us to choose the right mix of performance, function, and tried-and-true reliability.   In 7.3.6.x and earlier versions we didn’t use OpenSSL, but rather “yaSSL” which is known to be not vulnerable.   Starting in 7.5, we will be using OpenSSL, and as we have readied the GA release, we have upgraded the MySQL version that ships with EM7 to the most current version: 5.6.18 which includes OpenSSL libraries that have addressed the vulnerability (version 1.0.1g.). 

Similarly, when we first learned of the vulnerability, we also looked at our public facing customer portal hosted here at ScienceLogic (portal.sciencelogic.com).  The portal was vulnerable (like many websites) but we immediately changed the OpenSSL version to eliminate the vulnerability and in keeping with best practices, we re-keyed the ScienceLogic certificate – not just for the Support portal – but the wild card certificate (*.sciencelogic.com) for all of our web-based services used internally and with our partners. 

Back to EM7 the product for a moment; keeping a strong security posture is a constant battle but it’s one that we’re committed to.  An example of that commitment is our regular penetration testing performed by an independent 3rd party.  This is essentially “white hat” testing that we pay for to ensure EM7 is always meeting industry best practices.  For our customers, a copy of the testing report is available upon request.  Additionally, we’re in the final stages of JITC certification (http://jitc.fhu.disa.mil/) that enables our customers to offer an unparalleled security posture and one required by many US Federal Government agencies.
 
Copyright © 2014 Anything - All Rights Reserved
Template By. Catatan Info
RP | CU | PH | RR | TCU | MFB | BM | BM | TAW | RM | SM | MLW | QL | QTS | SR | TR | TCR | HR I2U | PH | TAW | ID | AAB | FSB | AG |