Over the past few days, a software hole within the SSL layer of sites has come to light, forcing many IT and infrastructure managers to work around the clock to resolve the issue. You may have already heard of “Heartbleed.”
For further reference, Wikipedia defines Heartbleed as “a software bug in the open-source cryptography library OpenSSL, which allows an attacker to read the memory of a server or a client, allowing them to retrieve, for example, a server's SSL private keys. Examinations of audit logs appear to show that some attackers may have exploited the flaw for at least five months before it was discovered by researchers and subsequently published.”
Earlier today, I sent a quick note to some of the larger P2P and supplier network providers asking for statements on how they have addressed potential vulnerabilities in the wake of Heartbleed. We’ve included their statements below. Note, this is just a select group – we expect more responses from others. These providers have been very quick in responding and we’re thankful for their effort.
In addition, please note that all servers on the Spend Matters Network have been addressed and are no longer open to the Heartbleed vulnerability.
Here are the provider policy statements:
“At OpenTextTM, the security and privacy of your information is our top priority.
OpenText is aware of and has been carefully monitoring the recent news surrounding the Heartbleed bug. This bug exploits a vulnerability in OpenSSL software, and is an Internet-wide issue that impacts hundreds of thousands of systems.
To help reduce the risk to our customers, OpenText has proactively reviewed all of our services to assess the potential impact of the issue described in CVE-2014-0160 (the Heartbleed bug). We have completed a technical risk assessment and any vulnerable systems have been remediated, with hotfixes applied.
At OpenText, we are committed to ensuring the security and privacy of our customers’ information. As such, we will safeguard our customers' information by continuing to evaluate our software products and taking immediate action to reduce any potential risks associated with the Heartbleed bug.”
“A security flaw called Heartbleed has been discovered in the Open SSL protocol that is used within major companies. Hubwoo IT Operations launched a comprehensive review of all external facing aspects of Hubwoo on Tuesday, April 8th. Based on our findings, we do not currently believe that any external-facing aspects of our sites are affected by the OpenSSL vulnerability commonly known as Heartbleed.”
“We take the security and privacy of our customer's data seriously and consider it critical that we deal with security issues as quickly, effectively, and transparently as possible.
Our security team monitors security lists for vulnerability announcements and immediately reviewed all our environments for impact as soon as we were alerted about this issue. We can confirm that all of our customer environments run non-vulnerable versions of OpenSSL and no Coupa customers are affected by this vulnerability and no customer data is at risk.”
“We have confirmed that no SAP products are affected by the OpenSSL deficiency also known as Heartbleed (CVE-2014-0160). We are not running any of the affected versions of OpenSSL and have tested the ones we are using and found no vulnerabilities. We continue to monitor the situation across all platforms and will update our customers if and when any new information is available.”
“As you may have seen in the news over the past few days, large parts of the digital world have been affected by what is called the ‘Heartbleed’ bug - in the OpenSSL encryption mechanism. This mechanism is used to ensure secure communication between servers on the Internet. The bug has been active since 14th March 2012, but was not known to the public until 7th April 2014. For more information please see http://heartbleed.com/.
As in many other organizations, IBX Business Network uses OpenSSL. Despite this, our services are unaffected by the ‘Heartbleed’ bug. Unlike many other eProcurement service providers, none of IBX Business Networks production systems use the versions of OpenSSL vulnerable to the bug. Consequently ‘Heartbleed’ has had no impact on the availability, user experience, data integrity, security or reliability of the IBX Business Network.”
“OB10 is aware of the latest security vulnerability of a version of OpenSSL, known as the Heartbleed bug. OpenSSL is a cryptographic software library used to help keep Internet communications private.
We would like to confirm that we do not use the affected version of OpenSSL in any of our security layers. To be certain, we have made the necessary scans on our network components and all came out clear.
A few FAQs:
Q. Do I need to make any changes to my OB10 account in response to the Heartbleed bug?
A. No, there is nothing you need to do with any of your OB10 accounts in response to the bug.
Q. How does OB10 ensure that my account is not affected?
A. The OB10 network operates on industry-standard secure methods. We also use certified third-party scans with the latest security updates to make sure that the latest vulnerabilities both externally and internally are assessed.
Q. Where can I learn more about the Heartbleed vulnerability?
A. Read the Heartbleed website that has been set up to provide information on this vulnerability: http://heartbleed.com.
Please get in touch if you have additional questions.”
Spend Matters would like to thank all of the providers listed from their rapid responses. We are happy to print responses from other providers that submit them. Please send to: slazarus (at) spendmatters (dot) com. Customers can check the status of Heartbleed and their solutions/services providers via this link. Please note however that Spend Matters has not verified the accuracy of the claims of this link.