You may have heard news of the “Heartbleed Bug,” as recently reported by the OpenSSL project. Researchers have found a critical defect in versions 1.0.1 and 1.0.2-beta of OpenSSL, the cryptographic software library which is used to protect up to an estimated 75 percent of the Internet’s secure traffic. The bug may allow individuals to read small portions of memory on systems protected by vulnerable versions of the OpenSSL software. For information on this vulnerability, see CVE-2014-0160 on the NIST website and heartbleed.com.
Unaffected SoftwareKey products and services
- The Protection PLUS 4 licensing client uses OpenSSL 0.9.8, which is not affected.
- Instant PLUS Licensing is built on Protection PLUS 4, which is not affected.
- Protection PLUS 5 .NET Edition API (PLUSManaged) is not affected.
- SOLO Server uses IIS, which does not use OpenSSL, and therefore is not affected.
Further, our technology partners confirm that all systems are either not affected or have already been updated as well.
Affected SoftwareKey products and services
Protection PLUS 5 Native Edition API is affected:
- Versions 126.96.36.199, 188.8.131.52, and 184.108.40.206 are affected.
- In the very unlikely event that you are using the PLUSNative library to make a webservice call to SOLO Server which requires author login credentials, it is strongly recommended that you change your author login password, just to be safe.
- All webservice calls to XML Activation Service and XML License File Service use an extra level of encryption in the requests and responses. Therefore, the Heartbleed vulnerability is mitigated unless you have disabled the encryption requirement in the encryption key data page, which is extremely unlikely.
- If protected applications are statically linking the PLUSNative library and also using OpenSSL for transmissions (other than to SOLO Server’s encrypted web services), then the flaw does impact the application. Your software development team should review the use of OpenSSL library to determine how your customers may be affected.
Protection PLUS 5 Native Edition build 220.127.116.11 was recently posted with a patched version of OpenSSL. The updated library “should” be a drop in replacement for the affected versions of PLUSNative library in most cases. There are many other changes in this library that were already scheduled for this release that are also included in 18.104.22.168. Please review the release notes and contact us with any questions.
Existing customers can log into their Customer Portal to download this update. Customers with expired software maintenance can either renew their software maintenance online or contact us for this vulnerability fix.
As with any wide-reaching story, we understand that our customers may have concerns. If you should have any additional questions or concerns, feel free to contact us.