Yuval Pecht

Product Update: Samanage position on the OpenSSL ("Heartbleed") vulnerability

Discussion created by Yuval Pecht Employee on Apr 10, 2014

As some of you may know, CVE-2014-0160 (“Heartbleed”) announced a vulnerability in certain versions of OpenSSL. Samanage uses OpenSSL in its platforms.


A little explanation from the site:


The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).


The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.


We take the security of our software and your data very seriously.


The Samanage team immediately began investigating the level of potential risk and have determined in conjunction with our infrastructure partners that the infrastructure supporting the Samanage app uses stacks of OpenSSL which are not vulnerable to this exploit. The Heartbleed vulnerability affects the 1.0.1 and 1.0.2 branches of OpenSSL, whereas our app is reliant on stacks that use stable versions on 0.9.8y and 1.0.0j which are not included in this issue.


What this means to you - the Samanage user?


There is nothing you need to change or do when using the Samanage app.


If you are worried about the security of your data on other websites, such as financial institutions or social media, we advise you to take the following security precautions:


Log out of any site currently using “HTTPS” in the URL/web address. This includes banks, Google’s Gmail, Facebook and others.


Clear your cache and cookies for your browser.


Here Are Directions:


Google Chrome: https://support.google.com/accounts/answer/32050?hl=en


Mozilla Firefox: https://support.mozilla.org/en-US/kb/how-clear-firefox-cache


Microsoft Internet Explorer: https://kb.wisc.edu/page.php?id=15141


Apple Safari: http://support.apple.com/kb/ph11920


http://support.apple.com/kb/ph11920For this reason, it is important to do the following:


1) Log out of any sites that you stay logged into.


2) Clear all of your browser cache and cookie information.


3) Log back in to every site that you logged out of.


Change any passwords for any site that contains sensitive personal information such as your identity or financial information. Strong passwords will further mitigate this vulnerability.


If you’d like to check websites you visit to see if they have fixed their security vulnerabilities, Qualsys SSL Labs added a testing service. This service does see some high traffic, but you can get more information about your the sites you are looking at.


The URL is https://www.ssllabs.com/ssltest/analyze.html


If a domain has multiple IP addresses, you can select a specific server. Otherwise, you will get an SSL Report. This report may take some time to generate as it attempts to check all known attack vectors.


Samanage is dedicated to resolving security issues promptly, while remaining open and honest with our customers. Please check back often and if you require assistance please contact support@samanage.com


At your service,


The Samanage Team