Heartbleed OpenSSL vulnerability and eDirectory

  • 7014961
  • 24-Apr-2014
  • 27-May-2015


NetIQ eDirectory 8.8 SP8
NetIQ eDirectory 8.8 SP7
NetIQ iManager 2.7 SP7
NetIQ iManager 2.7 SP6
NetIQ International Cryptographic Infrastructure (NICI)
NetIQ Modular Authentication Service (NMAS)
NetIQ Certificate Server (PKIS)


Recently the Heartbleed vulnerability, also known as CVE-2014-0160, was discovered in OpenSSL 1.0.1.  A missing bounds check within a new TLS heartbeat extension could allow attackers to view a random 64KB of memory.  The concern is that this 64KB of data could hold passwords or the private key of a server's SSL service.  This was fixed in version 1.0.1g of OpenSSL the same day the bug was made public.
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable

What is eDirectory\iManager\NMAS's exposure to this bug?


The good news is that eDirectory services and utilities are not affected by this vulnerability as it uses an earlier version of OpenSSL.

  • NTLS - eDirectory lays down and consumes OpenSSL from NTLS.  The version of OpenSSL in our latest versions of NTLS (887 & 888) has not changed in 2 years and contains version 0.9.d which does not contain the vulnerability.
  • IDM  (including Designer & Analyzer) consumes OpenSSL 0.9.8 so is also clear.
  • iMgr -  uses JSSE from Java as the underlying SSL library so there is no impact here as well.


Other products and their exposure to this vulnerability: