Environment
NetIQ eDirectory 8.8 SP8
NetIQ eDirectory 8.8 SP7
NetIQ iManager 2.7 SP7
NetIQ iManager 2.7 SP6
NetIQ International Cryptographic Infrastructure (NICI)
NetIQ Modular Authentication Service (NMAS)
NetIQ Certificate Server (PKIS)
Situation
Recently the Heartbleed vulnerability, also known as CVE-2014-0160, was discovered in OpenSSL 1.0.1. A missing bounds check within a new TLS heartbeat extension could allow attackers to view a random 64KB of memory. The concern is that this 64KB of data could hold passwords or the private key of a server's SSL service. This was fixed in version 1.0.1g of OpenSSL the same day the bug was made public.
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
What is eDirectory\iManager\NMAS's exposure to this bug?
Resolution
The good news is that eDirectory services and utilities are not affected by this vulnerability as it uses an earlier version of OpenSSL.
-
NTLS - eDirectory lays down and consumes OpenSSL from NTLS. The version of OpenSSL in our latest versions of NTLS (887 & 888) has not changed in 2 years and contains version 0.9.d which does not contain the vulnerability.
-
IDM (including Designer & Analyzer) consumes OpenSSL 0.9.8 so is also clear.
-
iMgr - uses JSSE from Java as the underlying SSL library so there is no impact here as well.
Other products and their exposure to this vulnerability:
-
OES\SLES consumes OpenSSL 0.9.8
-
Sentinel and the platform agents: use OpenSSL 0.9.8 so are unaffected.
-
Operations Center: NOC: Not affected by OpenSSL HeartBleed Bug (7014895)
-
Access Manager: Heartbleed openssl vulnerability and NAM (7014878)
-
Self Service Password Reset: Heartbleed openssl vulnerability and SSPR (7014929)