Recent Changes - Search:

Categories

Portal Guard And Heartbleed

PortalGuard and Heartbleed


Tags: security, ssl, openssl

Problem Definition

Does Heartbleed affect PortalGuard? If so, what has been done to rectify the issue?


Solution

The Heartbleed bug deals with OpenSSL's implementation of the TLS/DTLS heartbeat extension. This is used to encrypt web traffic between clients and servers (e.g. HTTPS). Only OpenSSL versions 1.0.1 through 1.0.1f are vulnerable.

This vulnerability does *not* impact any versions of PistolStar’s PortalGuard product.

Microsoft IIS is the only web server on which PortalGuard can run. IIS has always used Microsoft’s proprietary SSL/TLS implementation for negotiating any HTTPS sessions with client browsers. Thus, HTTPS sessions handled by IIS directly are not affected by this OpenSSL bug.

NOTE: If you currently have a reverse proxy or load balancer in front of PortalGuard that is handling/terminating HTTPS traffic, then PistolStar strongly urges you to contact the corresponding vendor to determine their exposure to the Heartbleed bug.

For more information about the Heartbleed vulnerability, please see the following resources:

http://www.us-cert.gov/ncas/alerts/TA14-098A

http://heartbleed.com/

http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/

Here are details about PortalGuard’s use of OpenSSL:

• PortalGuard has always standardized on the 0.9.8 OpenSSL branch. This branch is not affected by the Heartbleed bug in any way and we do not anticipate moving to a new branch at this time.

• PortalGuard uses OpenSSL only for the following purposes:

o AES-256 encryption implementation

o MD5, SHA-1, SHA-256, SHA-384, SHA-512 hash implementations

o RSA digital signatures of outgoing SAML responses

Page last modified on February 11, 2016, at 04:31 PM