AnsweredAssumed Answered

Heartbleed SSL vulnerability (CVE-2014-0160)

Question asked by petep on Apr 11, 2014
No doubt you've heard a lot about the recent SSL vulnerability known as Heartbleed in the press. It affects the Open Source implementation of the SSL protocol used to encrypt web traffic called OpenSSL and allows remote, undetectable retrieval of SSL keys from Internet connected web sites. This in turn allows encrypted traffic to be decrypted.

Here is a brief FAQ to explain Alfresco's position on this help you better understand the issue.

Q: Is Alfresco code directly affected?
A: No. The Alfresco application does not use the binaries that have this vulnerability. No changes to Alfresco will be made because of this issue, and there is no need for any hotfix.
The Alfresco Installer program does provide OpenSSL binaries, but the versions that are shipped are not vulnerable to this attack.

Q: Is Alfresco Cloud affected?
A: Alfresco Cloud has already been updated to use the new fixed versions of the OpenSSL binaries, and new certificates have been generated.

Q: Does that mean that no Alfresco customers are affected?
A: Not necessarily.
If Alfresco is running behind a system that uses OpenSSL to secure the communication with users (such as Apache acting as a proxy) and if that system is using a vulnerable version of the OpenSSL binaries, then the system should be considered at risk, OpenSSL should be upgraded and new certs should be generated for the user-facing systems.

Q: How does this affect the default SSL communication between Solr and Alfresco?
A: By default, the SSL communication between Solr and Alfresco uses a certificate shipped with Alfresco. This certificate and its keys are already in the public domain, so should already be considered compromised, and should not be used in a system that requires secure communications between Solr and Alfresco.
If the certificates have been changed to use a customers own certificates, they will not have been compromised by their use in the Solr/Alfresco communication, as Alfresco does not use OpenSSL for this.
If you would like to setup Solr/Alfresco communication that uses custom certificates, please see the documentation.

Q: What about my old passwords? Are they compromised?
A: Vulnerable versions of OpenSSL have been in use for a significant time prior to the recent fix. This raises the possibility that any system that was running vulnerable versions in the past has been completely compromised. For this reason, it is recommended that all users change their passwords.
This includes Alfresco Cloud users and users of Alfresco systems that are behind OpenSSL-protected proxies (e.g. Apache)

Summary:
- As Alfresco does not use OpenSSL for communication, it is not, in itself, vulnerable to the Heartbleed Bug.
- Alfresco Cloud has been patched and new certificates generated, but all users should change their passwords
- If Alfresco is running in infrastructure that uses OpenSSL for communication elsewhere, then customers should follow the Heartbleed Bug website recommendations.

Outcomes