On Monday, April 7, 2014, a new "Heartbleed" vulnerability (CVE-2014-0160) was publicized. This vulnerability involves the SSL (encrypted) connection between web clients and their web server pages. Under certain circumstances, web communication(s) between clients and their web server pages could be read, intercepted, hijacked, or otherwise falsely manipulated by unauthorized users.
Progress immediately implemented a system-wide assessment of components potentially affected by the "Heartbleed" vulnerability, and developed appropriate response and remediation plans:
Progress understand that a secure user experience is top of mind for its customers and partners. If you have specific questions, please contact Progress Support or call your Regional Technical Support Manager at the number listed on our Escalate a Case page.
Additional background materials concerning the Heartbleed (CVE-2014-0160) vulnerability can be found here:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
On Monday, April 7, 2014, a new "Heartbleed" vulnerability (CVE-2014-0160) was publicized. This vulnerability involves the SSL (encrypted) connection between web clients and their web server pages. Under certain circumstances, web communication(s) between clients and their web server pages could be read, intercepted, hijacked, or otherwise falsely manipulated by unauthorized users.
Progress immediately implemented a system-wide assessment of components potentially affected by the "Heartbleed" vulnerability, and developed appropriate response and remediation plans:
n All 3rd party web services the Progress Pacific platform use were updated as of April 9, 2014, mitigating the vulnerability. Further, we have re-issued our SSL web encryption certificates to further mitigate risk. Please note that, after diligent operational review of our real-time logs and monitors, we do not believe any SSL keys or certificates were compromised at this time.
n Progress RollBase web servers were updated as of April 9, 2014, mitigating the vulnerability.
n At this time we believe no other customer-facing Progress utilities are susceptible to the vulnerability.
Progress understand that a secure user experience is top of mind for its customers and partners. If you have specific questions, please contact Progress Support or call your Regional Technical Support Manager at the number listed on our [/collapse]
In the notices.txt file of OE 11.3.2 I found the following:
(o) Progress OpenEdge v11.3.2 may incorporate OpenSSL v0.9.8 from The OpenSSL Project.
The Heartbleed bug is present in versions 1.0.1 through 1.0.1f, so the product seems to be unharmed...
My understanding of the heartbleed bug is that it could leak arbitrary data from memory, (including SSL keys) without leaving any trace in logs.
This means that any SSL key that was present in memory on a server that was running an affected version of OpenSSL cannot be guaranteed to still be secret.
That is why the standard advice is to revoke & reissue all certificates that could have been leaked by a server.
The above Progress statement seems to imply that they may not be planning on revoking & re-issuing their certificates.
Given that a compromised certificate would allow anyone to perfectly run a Man-In-The-Middle attack, I would hope that this is not the case.
I don't much like the idea of not being sure that I'm really talking to Progress while uploading source to MAB & downloading executables.
Any chance of a comment from Progress about certificate revocation plans?
We have re-issued our SSL web encryption certificates for our entire Pacific Platform hosted solution on the small chance that an SSL key or certificate was intercepted. Please note that, after diligent operational review of our realtime logs and monitors, we do not believe any SSL keys or certificates were compromised at this time.