vulnerability in the popular OpenSSL cryptographic software library.


Guys fyi


Legendary Contributor III

Thanks for the link. Looking at the NCSC advisory, it looks at first glance that OS X may not actually be affected by this due it using an older version of OpenSSL. The advisory states this for what's affected:

OpenSSL versions from 1.0.1 to 1.0.1f. The vulnerability has been fixed in OpenSSL 1.0.1g.

It doesn't say it goes back further than 1.0.1, but I'm not sure if its just because those versions haven't been tested for the vuln yet or not.
I just checked some 10.8.x Macs and one running 10.9.2 and they are all running OpenSSL version 0.9.8y.

Can anyone who knows more about this confirm this information? Neither article I've read seems to list any flavor of OS X as being affected. If true, chalk it up to dumb luck that Apple seems to always ship an older version of these libraries with their OS.

But I'd imaging anyone running a Linux server or ten would want to pay attention to this since it seems to affect many varieties of Linux.

New Contributor

From what I have seen

The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8

Contributor III
Contributor III

It looks like JAMF's implementation of tomcat is fine, even under linux. But if you've used the same certs for say a https distribution on a system running the vulnerable version then you're going to want to patch and reissue certs.

New Contributor III

I was able to check our servers at the following link:

Our casper implementation "Seemed" ok.

Here's the gethub site:

Contributor III
Contributor III

My NetSUS is showing vulnerable. Is there a simple way to patch it?

New Contributor II

How to know what OpenSSL libraries are used by the Tomcat JSS server?

I know that one can run "openssl version" to get the current system openssl version, but is it enough?
On the webpage, I see :

The binary builds of Tomcat Native 1.1.24 - 1.1.29 have been compiled with an OpenSSL version vulnerable to Heartbleed, and are thus probably vulnerable. See and A new build using OpenSSL 1.0.1g would be very much appreciated.

Uncle Google does not help me a lot to quickly understand differences between JSSE, APR, and whatever cryptic stuff in server.xml file :-).

Valued Contributor III

Don't worry about OS X itself. 10.8 and below used a version of OpenSSL prior to 1.0 and 10.9 doesn't use it at all!

Contributor II


You can try this:

apt-get update
apt-get dist-upgrade

Or if comfortable..

apt-get upgrade

Contributor III
Contributor III

@lisacherie Easy enough! Thank you for sharing that.

Contributor III

I e-mailed our rep when it came out and I and asked if it we needed to patch, they said no. As far as I could tell the JSS was using JAVA for it's SSL, not OpenSSL.

New Contributor III

Hi everybody,

A Security Update regarding this issue has been posted to a separate discussion on JAMF Nation:

That discussion will be updated with any new information, as necessary.

Jason Van Zanten
Information Security Specialist
JAMF Software


Does anyone have a recipe for regenerating SSL certificates in the NetSUS VM appliance?

New Contributor III

@ianmb: The NetBoot/SUS Appliance uses Apache for the Web Application user interface, which includes a self-signed SSL certificate by default. The following is the default configuration in the /etc/apache2/sites-enabled/default-ssl file:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

None of the other services provided by the NetBoot/SUS Appliance use SSL by default:
- SMB for uploading NetBoot images
- HTTP for distributing software updates and booting NetBoot clients
- AFP for storing shadow files during diskless NetBoot

The SSL certificate for the Web Application user interface can be updated using standard procedures for Apache: