Heartbleed openssl vulnerability and NAM

  • 7014878
  • 09-Apr-2014
  • 10-Apr-2014

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0

Situation

Is NAM susceptible to the openssl heartbleed vulnerability reported in CVE-2014-0160?

According to http://heartbleed.com/ (no idea if this is a reliable source) the following OpenSSL versions are vulnerable:

    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

 The following are not vulnerable:

     OpenSSL 1.0.1g is NOT vulnerable
     OpenSSL 1.0.0 branch is NOT vulnerable
    OpenSSL 0.9.8 branch is NOT vulnerable

Resolution

Access Manager Appliance and Access Gateway appliances, as well as NAM components runing on SLES do not push down it's own Openssl libraries, but uses the OS based ones. With the hosts all running on SLES 11, NAM uses the 0.98 branch and is therefor not susceptible.

With the Access Gateway Service available on non SLES platforms such as Windows or RHEL, the AGS Install pushes down and uses it's own openssl libraries that are all based on the 0.98 branch too, and therefor not susceptible.

NAM 4.0 HF1 does provide administrators with the option of using an updated openssl 1.0.1f, which is vulnerable. The only way of installing this openssl is by manually copying openssl and apache files to the NAM hosts and restarting the box. This vulnerability is being fixed in NAM 4.0 HF2 builds (April 11 2014 release) and newer.

To test whether your site is vulnerable, simply go to https://www.ssllabs.com/ssltest and put in your public domain in there before running the test.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.