How to Upgrade OpenSSL to a Patched Version – Heartbleed Vulnerability

As you probably have heard already, a new OpenSSL vulnerability (called “Heartbleed” ) was recently found. A bounds checking bug made it possible for an attacker to exploit the SSL heartbeat functionality to uncover sensitive data from the web server process memory. xkcd’s Randall Munroe did a wonderful job explaining it here: http://xkcd.com/1354/

While indeni does utilize SSL both as its internal communication protocol and the web application, it is NOT vulnerable to the Heartbleed bug as indeni uses Java’s implementation of SSL and not the open source OpenSSL library, in which the bug was found.

indeni provides its own operating system installation – based on the excellent CentOS Linux. Two major versions of CentOS are in use by indeni as of today: A CentOS 5.3 based indeni which is using OpenSSL 0.9.8 and is not vulnerable, and a newer CentOS 6.5 based indeni which has OpenSSL 1.0.1 which is vulnerable to Heartbleed.

However, Heartbleed attack is possible only if a HTTPS server is relying on OpenSSL to provide the SSL heartbeat functionality. indeni does not use this functionality in any way and you don’t have to do anything to protect yourself against Heartbleed attacks.

If you would like to upgrade OpenSSL to a patched version in any case, please contact our support and we will be happy to guide you through this process – support@indeni.com.