Important information about FirstSpirit in context of current openssl 1.0.1 security problem CVE-2014-0160

isenberg
I'm new here
0 0 304

Since April 8, 2014 a security problem within the library openssl 1.0.1 before 1.0.1g is publicly known which allows remote attackers to obtain sensitive information like private keys and passwords from any service using this version of the library. Openssl 0.9.8 and any other version before 1.0.1 is not affected. Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160        

FirstSpirit is not using openssl by itself and neither is the embedded Jetty Webserver. So if you are only using FirstSpirit and its internal Jetty Webserver, your system is safe. If you have seen "openssl" in our documentation, that is only used to manage https/ssl certificates which is safe with any version of openssl. If you are using Apache Tomcat without any external components like Apache httpd, then your system is also safe.

However, your FirstSpirit system can be compromised if external components used for the operation of the FirstSpirit Server are using openssl 1.0.1, i.e. Loadbalancers, Application Servers (Websphere and others), Web Servers (Apache httpd and others), VPN-Servers, Web Application Firewalls, Reverse Proxies. So you need to check which version of openssl your external components are using and install security updates from the specific vendors. Afterwards you need to create a new private https key and certificate as your current certificate might have been compromised.

Tags (1)
Version history
Last update:
‎04-09-2014 03:29 AM
Updated by: