Wednesday, April 16, 2014
The Heartbleed vulnerability reported in the news recently involves a flaw in certain versions of the open-source "OpenSSL" library. This library implements an SSL/TLS method for HTTP encryption/decryption, and is built into many commercial and open-source software applications. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.
Clarification about Xerox DocuShare
- DocuShare does not ship with, and is not dependent on, any version of the OpenSSL package that is infected by the Heartbleed bug.
- DocuShare Cloud customers are not affected by the Heartbleed bug.
- DocuShare Client and Mobile Client do not ship with, and are not dependent on, any version of the OpenSSL package that is infected by the Heartbleed bug.
However, it is important for customers to determine if they have downloaded and installed versions of third-party components that contain a vulnerable version of OpenSSL that has then been integrated with DocuShare. Customers who have installed third-party components such as Apache or Nginx Web servers, or have reconfigured or recompiled the Tomcat server, should refer to the website of those vendors to confirm the version of OpenSSL installed on their machine is safe from the bug. Please see the links below for more information.
- Official Heartbleed site: http://heartbleed.com/
- Heartbleed BugNIST National Vulnerability Database Entry: CVE -CVE-2014-0160
- OpenSSL Advisory: https://www.openssl.org/news/secadv_20140407.txt
These frequently asked questions about the Hearbleed bug provide more details:
Q. How does the Heartbleed bug relate to DocuShare architecture?
- DocuShare itself does not integrate OpenSSL and is therefore not vulnerable, by itself, to the risks of Heartbleed.
- For those customers not using SSL, there are no concerns (if SSL is not used by other solutions in your system).
- For customers using SSL on Microsoft Windows Server platforms, SSL is most frequently implemented using Microsoft Internet Information Service (IIS), a Web server that doesn’t employ OpenSSL. Communication between IIS and DocuShare also does not use Open SSL.
- Most customers running DocuShare on Solaris or Linux with SSL use the Apache Web server to implement SSL, and certain versions of Apache, and the Nginx Web server, contain the vulnerable versions of OpenSSL. If you run one of them, further investigation is recommended, and Web server upgrade/reconfiguration may be needed.
- Other related system components may be at risk for Heartbleed vulnerability: Linux OS’s, mail servers, VPN interfaces, network appliances, proxy servers, and client side software. While DocuShare may interface to or run on these platforms, they are not Xerox products. Appropriate measures should be taken to investigate and validate their security.
Q. What is Xerox’s response to the Heartbleed virus?Xerox has thoroughly evaluated Xerox DocuShare and confirmed that it does not include OpenSSL, or ship with any version of Open SSL that is vulnerable to Heartbleed.
Q. What customer actions are recommended?If you have downloaded and installed third-party components such as Apache Web servers for use with DocuShare, refer to the official website of those vendors to confirm the version of OpenSSL library installed on your machine is safe. Please see links above for more information.
Q. Who do I call with any additional questions or concerns? As always, please contact Xerox DocuShare Support if you have any specific questions or concerns, at:
- Email - docushare.support@xerox.com
Solution Published: April 16th, 2014
Solution ID: 1478