Environment
Self Service Password Reset
SSPR 2.xSSPR 3.x
Situation
Could SSPR be affected by the heartbleed bug?
Is SSPR susceptible to the openssl heartbleed vulnerability reported in CVE-2014-0160?
Resolution
SSPR does not utilize OpenSSL, so it is not susceptible to this security vulnerability.
There may be potential vulnerabilities for customers who front-end SSPR with Apache web server, but not for those using the default installation of SSPR on Tomcat.