JBossWeb APRJBossWeb APR functionality requires OpenSSL 0.9.7 or 0.9.8 which is not affected by this vulnerability.
I have consulted the Red Hat Security Response Team before posting this note. We continue to monitor the situation.
Feel free to report any anomalies using http://www.jboss.org/security
We do recommend taking the appropriate precautions.
Please use the links in the references section for gauging indirect exposure to the HeartBleed vulnerability.
Indirect exposure may be possible:
- Maybe you have a web server in front of JBoss/WildFly Application Server that may be affected.
- Maybe your operating system on which the JBoss community projects are running may be affected.
- Maybe you have OpenSSL v1.0.1 used by your application infrastructure.
ReferencesPlease refer to the following articles for more information:
Official OpenSSL Official Advisory: https://www.openssl.org/news/secadv_20140407.txt
HeartBleed Information: http://www.heartbleed.com
Red Hat Official Announcement: https://access.redhat.com/site/announcements/781953
Amazon Web Services Advisory: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/
Official Linux Distribution Pageshttps://rhn.redhat.com/errata/RHSA-2014-0376.html