Is OFBiz vulnerable to the heartbleed problem in openssl?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Is OFBiz vulnerable to the heartbleed problem in openssl?

Ted Byers
The subject says it all, or rather asks it all.  Does the application
server it is distributed with use openssl, and if so, is the version
vulnerable to heartbleed?  And, if it is to old to be vulnerable, what
other exploits is it vulnerable to?  What would be required to
eliminate that vulnerability?

I have patched my OpenSuse systems so that the system openssl is no
longer vulnerable, but I wouldn't know how to ensure ofbiz uses that.
I have already patched all the servers I use for heartbleed (a couple
days' work), so now I turn my attention to this.

Thanks

Ted

--
R.E.(Ted) Byers, Ph.D.,Ed.D.
Reply | Threaded
Open this post in threaded view
|

Re: Is OFBiz vulnerable to the heartbleed problem in openssl?

Jacques Le Roux
Administrator
Not OOTB,

 From searching on the net for "tomcat heartbleed" we don't use the APR (which uses Open SSL) OOTB

A mean to check your instances:

If you have something like that in your console.log

[java] INFO: Initializing ProtocolHandler ["http-bio-0.0.0.0-8443"]

Then you are safe and have nothing to do

https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Jacques

Le 12/04/2014 04:27, Ted Byers a écrit :

> The subject says it all, or rather asks it all.  Does the application
> server it is distributed with use openssl, and if so, is the version
> vulnerable to heartbleed?  And, if it is to old to be vulnerable, what
> other exploits is it vulnerable to?  What would be required to
> eliminate that vulnerability?
>
> I have patched my OpenSuse systems so that the system openssl is no
> longer vulnerable, but I wouldn't know how to ensure ofbiz uses that.
> I have already patched all the servers I use for heartbleed (a couple
> days' work), so now I turn my attention to this.
>
> Thanks
>
> Ted
>

--