Browse
 
Tools
Rss Categories

Heartbleed Bug

Reference Number: AA-02032 Views: 1404 0 Rating/ Voters


Like many other software companies, LumenVox uses the OpenSSL library to provide encryption algorithms and connectivity in a number of areas of its code. There have been a number of questions over time about its reliability given recent Heartbleed and other bugs that have been widely reported.

While such bugs and issues are unfortunate, they are also less likely to occur in libraries such as OpenSSL which come under public scrutiny with each new version. Given that the number of instances of these issues is extremely low (certainly much lower than if we developed our own alternative), we continue to support and use OpenSSL while monitoring any security patches and updates that are recommended. We also do this for other third-party libraries we incorporate in our products.

Specifically relating to the Heartbleed bug that was first disclosed in April 2014, we responded quickly to update our use of OpenSSL to minimize the impact of this bug on our customers. Our release cycle is typically around 3 months, allowing us to issue updates to our products roughly 4 times per year, at which times, we address any issues that come up.

The Fix

In our 12.2.100 version release on September 2, 2014, we included changes to address the Heartbleed bug, which included an update to the version of OpenSSL our Windows packages use. The version of OpenSSL we migrated to was openssl 1.0.1g, which according to the site dedicated to fixing this bug (www.heartbleed.com) correctly fixed this issue.

Regarding our Linux users, the method we employ in those Operating Systems allows us to use the version of OpenSSL installed on the host system itself, so we encourage our Linux users to perform their own security analysis and at a minimum, they should install a version of OpenSSL that is at least 1.0.1g to remove the risks posed by this bug when using not only LumenVox products, but other products which utilize OpenSSL too.

The areas of LumenVox products affected by such bugs would include encryption methods we use throughout our products for a variety of reasons, including the option to securely encrypt Response Files, and also Secure HTTP (HTTPS) connectivity when fetching media, as well as when hosting, such as is done with our Dashboard that is run within the LvManager service.

You can find more specific information about the Heartbleed bug and its vulnerabilities at www.heartbleed.com and http://en.wikipedia.org/wiki/Heartbleed

Secure Certificates

If you were using secure certificates on machines affected by the Heartbleed bug, whether using LumenVox software or not, these certificate could have been compromised, and you should therefore replace them with regenerated ones.

There is a Heartbleed and GoDaddy's Certificate Authority article that describes some of the impact of the certificate vulnerabilities and also the need to replace any compromised certificates, and an additional article discussing Does Heartbleed mean new certificates for every SSL server that describes steps necessary to fully address the Heartbleed bug, which includes replacing passwords and other things on affected systems, since the vulnerability potentially exposed many things in addition to secure certificates, which is why the bug gained so much worldwide attention.

Articles referenced here are meant to assist you, but we encourage you to look beyond these to fully understand how this bug affects you and your users.

Our Recommendation

As with any software or Operating System, these days it is important to remain vigilant to safeguard users and data, so we encourage our users to ensure they maintain their systems and apply security patches as they become available, and we highly recommend updating your LumenVox software maintenance, which allows you to remain current with our latest versions as they become available.

Not only do we add new features with each new release, but any issues that have been reported by our numerous clients are also addressed in these releases.

We understand that is not always practical for all of our users to stay current with our latest releases as soon as they are introduced, however we strongly encourage our users to review our release notices, and attend our release webinars to at least be aware of the changes we are making, so that you can make your own informed decisions about updating. We try to keep our release notes honest and clear - if we are fixing bugs, we do our best to report these in the release notes because we want to make sure that our users trust us and are fully informed of the impact our changes may have on their end users.