Not OOTB,
From searching on the net for "tomcat heartbleed" we don't use the APR (which uses Open SSL) OOTB
A mean to check your instances:
If you have something like that in your console.log
[java] INFO: Initializing ProtocolHandler ["http-bio-0.0.0.0-8443"]
Then you are safe and have nothing to do
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_SupportJacques
Le 12/04/2014 04:27, Ted Byers a écrit :
> The subject says it all, or rather asks it all. Does the application
> server it is distributed with use openssl, and if so, is the version
> vulnerable to heartbleed? And, if it is to old to be vulnerable, what
> other exploits is it vulnerable to? What would be required to
> eliminate that vulnerability?
>
> I have patched my OpenSuse systems so that the system openssl is no
> longer vulnerable, but I wouldn't know how to ensure ofbiz uses that.
> I have already patched all the servers I use for heartbleed (a couple
> days' work), so now I turn my attention to this.
>
> Thanks
>
> Ted
>
--