Novell Home

My Favorites

Close

Please to see your favorites.

Heartbleed OpenSSL vulnerability and eDirectory

This document (7014961) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ eDirectory 8.8 SP8
NetIQ eDirectory 8.8 SP7
NetIQ iManager 2.7 SP7
NetIQ iManager 2.7 SP6
NetIQ International Cryptographic Infrastructure (NICI)
NetIQ Modular Authentication Service (NMAS)
NetIQ Certificate Server (PKIS)

Situation

Recently the Heartbleed vulnerability, also known as CVE-2014-0160, was discovered in OpenSSL 1.0.1.  A missing bounds check within a new TLS heartbeat extension could allow attackers to view a random 64KB of memory.  The concern is that this 64KB of data could hold passwords or the private key of a server's SSL service.  This was fixed in version 1.0.1g of OpenSSL the same day the bug was made public.
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable

What is eDirectory\iManager\NMAS's exposure to this bug?

Resolution

The good news is that eDirectory services and utilities are not affected by this vulnerability as it uses an earlier version of OpenSSL.

  • NTLS - eDirectory lays down and consumes OpenSSL from NTLS.  The version of OpenSSL in our latest versions of NTLS (887 & 888) has not changed in 2 years and contains version 0.9.d which does not contain the vulnerability.
  • IDM  (including Designer & Analyzer) consumes OpenSSL 0.9.8 so is also clear.
  • iMgr -  uses JSSE from Java as the underlying SSL library so there is no impact here as well.

 

Other products and their exposure to this vulnerability:

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7014961
  • Creation Date:24-APR-14
  • Modified Date:27-MAY-15
    • NovellNMAS (Modular Authentication Service)
      PKIS (Certificate Server)
    • NetIQeDirectory
      iManager
      NICI

Did this document solve your problem? Provide Feedback