Support | Security Bulletins


Here's how SDS products are or aren't affected by recent Internet security threats.


contents: POODLE, Shellshock, Heartbleed


POODLE

Oct. 2014, https://www.us-cert.gov/ncas/alerts/TA14-290A

Secure VitalSigns servers against POODLE by adjusting server configuration.

POODLE--Padding Oracle On Downgraded Legacy Encryption--is a vulnerability in the SSL 3.0 protocol. That means it might be a problem for SDS products that use a Tomcat web server: VIP, VNAC, and VFTP.

The safest response is to disable SSLv3 by editing the server configuration file:
installDirectory/sdsweb/conf/server.xml

Then re-start the server.

For VIP 7.2.x and 8.0.x, VNAC 3.0.x, and VFTP 3.0.x change
sslProtocol="TLS"

to
sslProtocol="TLSv1, TLSv1.1, TLSv1.2"

For VNAC 4.0.x, and VFTP 2.0.x change
sslProtocol="TLS"

to
sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

Shellshock

Sept. 2014, https://www.us-cert.gov/ncas/alerts/TA14-268A

No SDS products are threatened by Shellshock

Shellshock is a vulnerability in the GNU Bourne-Again Shell (Bash). No SDS products ship with GNU Bash, so they have no direct exposure to the Shellshock vulnerability. SDS recommends that you review the operating systems where you run SDS products and apply any necessary security upgrades.

Heartbleed

April 2014, https://www.us-cert.gov/ncas/alerts/TA14-098A

SDS VitalSigns is not threatened by Heartbleed.

VitalSigns products use Tomcat web servers. Tomcat is a Java-based application, with its own implementation of SSL. The OpenSSL/Heartbleed security vulnerability poses no threat to it whatsoever.

SDS E-Business Server™ is not threatened by Heartblead.

Heartbleed is a weakness in OpenSSL versions that have a specific preprocessor #define available at compile time. E-Business Server code has no reference to this defined word. That and the fact that Heartbleed only affects SSL transport setup means it is safe to assume that E-Business Server is not threatened by Heartbleed.