edgeNEXUS ALB OpenSSL “Heartbleed” Resolution Advisory

About OpenSSL and the “Heartbleed” Vulnerability

• For those of you not familiar with OpenSSL, it is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength general-purpose cryptography library. edgeNEXUS use OpenSSL as part of our ALB product to deliver SSL client termination as well as the secure presentation of our GUI.

• The vulnerability has existed since December 31, 2011, and the vulnerable code has been adopted to widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. By reading the memory of the web server, attackers could access sensitive data, compromising the security of the server and its users. Potentially secure data including the server’s private master key could be compromised.

• edgeNEXUS ALB only more recently adopted this OpenSSL release in version 3.25.2 (build 1431) and so the “heartbleed” vulnerability is present in this and any subsequent releases of ALB.

Details for the edgeNEXUS Package to Resolve the “Heartbleed” Vulnerability

edgeNEXUS has just released Service Pack 5 for ALB hardware and virtual appliances – version 3.54.1 (build 1540) – which resolves the OpenSSL heartbleed vulnerability by replacing any prior OpenSSL cryptography library with version 1.0.1g. SP5 also contains a variety of bug fixes and performance improvements over previous releases.

Please note that you may need to update using further intermediate builds if you have not been keeping up to date with edgeNEXUS ALB releases over time. SP5 can be used to update any release after (and including) version 3.21.2 (build 1420) directly, but you should contact support by emailing “support@edgenexus.io” for additional instructions where your ALB is running on an older build than version 3.21.2 (build 1420).

Please email support@edgenexus.io for download details for the SP5 32-bit update package version 3.54.1 (build 1540).

About Donna Toomey