Is HEAT Affected by the HeartBleed Vulnerability?[Uploaded File]

Version 1

    Details

    Is HEAT Affected by the HeartBleed Vulnerability?


    Resolution

     

    Development investigated HeartBleed and their findings show that HEAT is not vulnerable to the HeartBleed security hole.  HEAT uses a different product for the security certificate, KEYTOOL, which is what we distribute with our Tomcat distribution.  

    As part of the stock Tomcat installation with HEAT, we install the Tomcat Native DLL, tcnative-1.dll.  This DLL can be found in the folder, C:\Program Files (x86)\HEAT\WEBUI\bin.  Tomcat Native gives Tomcat access to the Apache Portable Runtime (APR) library's socket implementation and includes OpenSSL. 

    Versions of the tcnative-1.dll that include vulnerable versions of OpenSSL are 1.1.24 up to 1.1.29.  The version installed by HEAT is 1.1.14, and therefore is not vulnerable. 

    Further, HEAT does not use or load the tcnative-1.dll, so regardless of version, there is no HeartBleed vulnerability. 

    In theory, a HEAT user could choose to use OpenSSL instead of KEYTOOL, but they would have to go out of their way to download that product, and implement it on their own.

    Attached is the FRS document that outlines the steps to implement SSL with Web UI and HSS, and it clearly describes using the KEYTOOL product.