Security Update: Heartbleed Bug Vulnerability in OpenSSL

jason_vanzanten
New Contributor III
New Contributor III

Earlier this week, you may have heard news about the Heartbleed Bug, which is a serious vulnerability in certain versions of the OpenSSL cryptographic software library. More information regarding the Heartbleed Bug can be found on the following website:

http://heartbleed.com

What versions of OpenSSL are vulnerable?
The Heartbleed Bug affects versions of OpenSSL starting with 1.0.1 up to and including 1.0.1f.

Are any JAMF Software products and services affected?
This vulnerability does not appear affect Apple devices (OS X or iOS) and does not affect any of the following JAMF Software products:

  • JAMF Software Server (JSS) on OS X, Linux or Windows
  • jamf binary
  • Casper Suite applications, including: Casper Admin.app, Casper Imaging.app, Casper Remote.app, Composer.app, Recon.app, Recon.exe
  • JAMF Distribution Server (JDS) on OS X

The following JAMF Software services were confirmed to be relying on a vulnerable version of OpenSSL:

  • JAMF Nation
  • JAMF Cloud JSS Hosting
  • JAMF Distribution Server (JDS) on Linux
  • NetBoot/SUS Appliance OVA versions 2.0 and 3.0

What have we done to fix this issue?
All vulnerable services that are maintained by JAMF, including JAMF Nation and the JAMF Hosting infrastructure, have been updated to use the latest version of OpenSSL and new SSL certificates have been installed.

What do you need to do?
If you are using a JAMF Distribution Server (JDS) on a supported installation of Linux or utilizing a NetBoot/SUS Appliance version 2.0 or 3.0, we have determined that the version of OpenSSL used would be vulnerable. Information for vendor specific recommendations should be followed for updating OpenSSL as soon as possible:

Existing SSL certificates should also be replaced once a patched version of OpenSSL has been installed.

How can you stay informed on any new developments?
This post will be updated, as necessary, to include any new information.

There is also an existing discussion for you to share your results and insights:
https://jamfnation.jamfsoftware.com/discussion.html?id=10259

As you know, we take security seriously at JAMF Software. If you have any questions or concerns, please feel free to contact me directly by email at jason.vanzanten@jamfsoftware.com or by phone at (715) 563-7895.

Sincerely,

Jason Van Zanten

Information Security Specialist
(715) 563-7895
jason.vanzanten@jamfsoftware.com

4 REPLIES 4

TomDay
Release Candidate Programs Tester

@jason.vanzanten thanks for the detailed information. Looking at Apache on my server that I run my JSS I use "openssl version" and get the following version openssl version 0.9.8y 5 Feb 2013. Above you say "This vulnerability does not appear affect Apple devices (OS X or iOS) and does not affect any of the following JAMF Software products:
• JAMF Software Server (JSS) on OS X, Linux or Windows". Does the JSS install this old version of OpenSSL for a particular reason? What should I not be concerned that such an old version of OpenSSL is being used?

Thx for your time Jason, Tom

jason_vanzanten
New Contributor III
New Contributor III

@tommyday: Thanks for the follow up. The JSS does not use or install any versions of OpenSSL on any server platforms. It is an Apache Tomcat web application that uses Java cryptography libraries.

The version of OpenSSL you reported is typical for OS X systems and is included by default in the base operating system. OpenSSL version 0.9.8y is not reported to include the Heartbleed Bug vulnerability, and Apple has indicated that iOS, OS X, and "key web services" were not affected by this issue:

http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affected-by-heartbleed-secu...

However, it is possible that content distribution servers on Linux systems, such as File Share Distribution Points using Apache and JAMF Distribution Servers (JDS), which also uses Apache, could be exposed to a vulnerable version of OpenSSL. If this is the case, we recommend following vendor recommendations for updating OpenSSL as soon as possible:

TomDay
Release Candidate Programs Tester

Great explanation, thanks! One more question as I do some research on MySQL. Do you have any related info on MySQL since the JSS uses this?

TomDay
Release Candidate Programs Tester

Think I found my answer http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

5.0 Products That Do Not Include OpenSSL
These Oracle products do not include OpenSSL in their initial distribution (i.e., “out of the box”) and should therefore not be affected by the recent disclosure of CVE-2014-0160. Note that the surrounding technical environment deployed around these products should be checked for the presence of other components, which may be affected by this vulnerability.

Auto Service Request [Product ID 9042]
E-Business Suite R12
Hyperion EPM
Java ME - Bluray and TV
Java ME - Javacard
Java ME – Embedded
Java SE
JavaVM
MySQL Cluster [Product ID 8479]
MySQL Cluster Manager [Product ID 8479/CLSTMGR]
MySQL Community Server version 5.6 [Product ID 6850]
MySQL Connector/Java [Product ID 8576/CONJ]
MySQL Connector/NET [Product ID 8576/CONNET]
MySQL Connector/PHP (mysqlnd) [Product ID 8576/CONMYND]
MySQL Connector/Python [Product ID 8576/CONPYTHN]
MySQL Server (all licenses, versions 5.5 and earlier) [Product ID 8478]