Environment
Situation
Resolution
OpenSSL 'Heartbleed' Vulnerability and Attachmate Products
According to the Vulnerability Notes Database, "OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as 'heartbleed.'" This vulnerability can leak up to 64K bytes of the contents from system RAM with each heartbeat exchange.
Some Attachmate products (both licensed and evaluation software, listed below) are affected by this vulnerability. Note the following:
- In most Attachmate products, this vulnerability affects only certain TLS 1.2 connections.
- Products using SSH protocol connections are not affected.
- This vulnerability is a greater concern for servers than clients, because clients authenticate the host before any TLS heartbeat is negotiated, whereas servers accept TLS connections from any client and so can be immediately exploited.
Products Affected
The following products and versions are affected by this vulnerability when TLS protocol connections are used.
| Product and Version |
Status |
More Info |
| Verastream Host Integrator version 7.6 |
Fixed in version 7.6.49 |
2700 |
| Reflection for Secure IT Web Edition version 8.1 |
Hotfix is available upon request |
2288 |
| Reflection for NonStop 2014 Add-On |
Fixed in R1+SP1 (version 15.6.1.746) |
2502 |
| EXTRA! 6530 Client Option 9.3 |
Fixed in 9.3 SP1 (version 9.3.1.2612) |
2501 |
The following products either support TLS 1.2 connections or contain products or components that do. These products are affected by this vulnerability, only when TLS 1.2 connections are used. All the products listed include the Reflection FTP Client (version 14.1 SP3 or 15.6), which is affected only when making a TLS 1.2 connection to a malicious server. See KB 7021489 for information about how to determine if your Reflection connections use TLS 1.2.
| Product and Version |
Status |
More Info |
| Reflection 2014 R1 Reflection 2014 Pro R1 Reflection X 2014 R1 Reflection for IBM 2014 R1 Reflection for UNIX and OpenVMS 2014 R1 |
Fixed in version 15.6.0.660 * |
2502 |
| Reflection for UNIX and OpenVMS 14.1 SP3 Reflection for IBM 14.1 SP3 Reflection for HP 14.1 SP3 Reflection X 14.1 SP3 Reflection Suite for X 14.1 SP3 Reflection for the Multi-Host Professional Edition 14.1 SP3 Reflection for the Multi-Host Standard Edition 14.1 SP3 |
Fixed in Update 14.1.3.247 ** |
1708 |
*You can identify the Reflection 2014 update has been installed by version “15.6.660” in Control Panel > Programs > Programs and Features (or Control Panel > Add or Remove Programs).
**You can identify the Reflection 14.1.3.247 update has been installed by version “14.1.3247” in Control Panel > Programs > Programs and Features (or Control Panel > Add or Remove Programs).
Products Not Affected, but Include Reflection FTP Client
The following products are not themselves affected by the vulnerability, but do include the Reflection FTP Client (version 14.1 SP3 or 15.6), which is affected only when making a TLS 1.2 connection to a malicious server.
| Product and Version |
Status |
More Info |
| Reflection for Secure IT Windows Client 7.2 SP3
is not affected, however the Reflection FTP Client included with it is
affected, but only when making a TLS 1.2 connection to a malicious
server. |
Fixed in Update 7.2.3222 |
2288 |
| INFOConnect 9.2 is
not affected, however the Reflection FTP Client included with it is
affected, but only when making a TLS 1.2 connection to a malicious
server. |
Fixed in version 9.2.0.1172 |
2546 |
| EXTRA! X-treme 9.3
is not affected, however the Reflection FTP Client included with it is
affected, but only when making a TLS 1.2 connection to a malicious
server. |
Fixed in FTP Client Update 14.1.3.247 |
2501 |
| Verastream Bridge Integrator
is not affected, however Verastream Bridge Integrator that includes
Reflection for Secure IT Windows Client 7.2 SP3 is affected because the
Reflection FTP Client included with Reflection for Secure IT Windows
Client 7.2 SP3 is affected, but only when making a TLS 1.2 connection to
a malicious server. |
Fixed in SSH Update 7.2.3222 |
2288 |
For information about security updates and your product, see your product's security updates technical note available from https://support.microfocus.com/security/.
Products Not Affected
The following products are not affected by the Heartbleed vulnerability:
| Product and Version |
Status |
| Earlier versions of the products listed in Products Affected |
Not affected |
| Reflection 2011 products, all versions |
Not affected |
| Reflection for the Web 2014, 2011, or 2008, all versions |
Not affected |
| Reflection Security Gateway 2014 or 2011, all versions |
Not affected |
| Reflection for Secure IT Server for Windows, all versions |
Not affected |
| Reflection for Secure IT UNIX Client and Server, all versions |
Not affected |
| DATABridge, all versions |
Not affected |
| Verastream Process Designer, all versions |
Not affected |
| Verastream SDK for Unisys and Airlines, all versions |
Not affected |
| FileXpress products; exception noted below * |
Not affected * |
* Some FileXpress Bundles include Reflection for Secure IT Web Edition 8.1, which is affected by the vulnerability. A hotfix is available upon request for Reflection for Secure IT Web Edition 8.1. Contact Attachmate Technical Support.
Attachmate Web Sites Not Affected
Attachmate web sites that support HTTPS connections are not and have never been subject to this vulnerability.
Additional Resources
For more details and the latest information on mitigations, see the following:
US-CERT Technical Alert: https://www.us-cert.gov/ncas/alerts/TA14-098A
CERT-CC Vulnerability Note VU#720951: http://www.kb.cert.org/vuls/id/720951
National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Subscribe to Updates
To receive updates for your product, you can subscribe to the RSS feeds available on the Attachmate support site. For details, see Technical Note 0203.