A critical vulnerability in an implementation of TLS/DTLS (transport layer security protocols) in the OpenSSL cryptographic library was identified and publicly disclosed on April 7th, 2014. OpenSSL is widely used in open source operating systems such as Linux but is not as commonly used in commercial operating systems like Microsoft Windows.
Essent was aware of this problem from its inception and immediately took action to verify none of our offerings or Facility Management Support (FMS) service subscribers were vulnerable.
Essent software products and services do not use affected OpenSSL. All business and commerce products including Compass, SiteBuilder, PunchOutNow, Direct2Decoration, and OrderTrax are not affected. The Essent Commerce Cloud™, and by extension its users, does not use OpenSSL and is not directly affected by this vulnerability. Essent security products, like The Netset™ Network Security Appliance, that do use OpenSSL do not run a version that has been identified as vulnerable to the Heartbleed bug.
This vulnerability, which has been assigned CVE identifier CVE-2014-0160 and is also known as the "Heartbleed Bug," allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software. This issue is considered extremely critical due to its impact, long exposure (2+ years), ease of exploitation, the absence of application logs indicating an exploit attempt and the widespread availability of exploit code.
The flaw resides in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security) protocols' heartbeat extension (RFC6520) due to a missing bounds check. This vulnerability reveals 64KB of memory per request to a connected client or server. An attacker can keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS connection until they have achieved their objectives.
The vulnerability is not due to the design of the protocol but rather the implementation of it in software. The vulnerability was discovered by a member of the Google Security team and by a team of security engineers at Codenomicon. Proof-of-concept (PoC) code to exploit this vulnerability exists. OpenSSL versions 1.0.1 through 1.0.1f (inclusive) and version 1.0.2-beta are vulnerable; branches 1.0.0 and 0.9.x are not vulnerable.
Get the latest Essent Support Notices delivered right to your email inbox.
Essent is the leading provider of fully-integrated business management software solutions and services for process-intensive industries and the largest trading network for the promotional products industry. The Essent family of fully-integrated products and services combines best practices, business processes, software automation, and network communications to deliver unparalleled, unified business management solutions. Since 1980, Essent has offered the systems, service, software, and support critical to success in today's highly-competitive marketplace.