I want to take this post to summarize that "JBoss community projects including WildFly Application Server are not directly affected by the OpenSSL HeartBleed Vulnerability".
https://docs.jboss.org/jbossweb/2.1.x/apr.html
I have consulted the Red Hat Security Response Team before posting this note. We continue to monitor the situation.
Feel free to report any anomalies using http://www.jboss.org/security
We do recommend taking the appropriate precautions.
Please use the links in the references section for gauging indirect exposure to the HeartBleed vulnerability.
Indirect exposure may be possible:
Official OpenSSL Official Advisory: https://www.openssl.org/news/secadv_20140407.txt
HeartBleed Information: http://www.heartbleed.com
Red Hat Official Announcement: https://access.redhat.com/site/announcements/781953
CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Amazon Web Services Advisory: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/
http://www.ubuntu.com/usn/usn-2165-1/
JBossWeb APR
JBossWeb APR functionality requires OpenSSL 0.9.7 or 0.9.8 which is not affected by this vulnerability.https://docs.jboss.org/jbossweb/2.1.x/apr.html
I have consulted the Red Hat Security Response Team before posting this note. We continue to monitor the situation.
Feel free to report any anomalies using http://www.jboss.org/security
We do recommend taking the appropriate precautions.
Please use the links in the references section for gauging indirect exposure to the HeartBleed vulnerability.
Indirect exposure may be possible:
- Maybe you have a web server in front of JBoss/WildFly Application Server that may be affected.
- Maybe your operating system on which the JBoss community projects are running may be affected.
- Maybe you have OpenSSL v1.0.1 used by your application infrastructure.
References
Please refer to the following articles for more information:Official OpenSSL Official Advisory: https://www.openssl.org/news/secadv_20140407.txt
HeartBleed Information: http://www.heartbleed.com
Red Hat Official Announcement: https://access.redhat.com/site/announcements/781953
CVE: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Amazon Web Services Advisory: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/
Official Linux Distribution Pages
https://rhn.redhat.com/errata/RHSA-2014-0376.htmlhttp://www.ubuntu.com/usn/usn-2165-1/
No comments:
Post a Comment