|Applies To||All Versions|
RSA Identity Management and Governance
|Issue||Several Internet websites provide information about the 'Heartbleed' vulnerability. This is a summary of one noted on WikiPedia: 'Heartbleed' is a security bug in the open-source OpenSSL cryptography library, which is widely used to implement the Internet's Transport Layer Security (TLS) protocol. Heartbleed results from improper input validation (due to a missing bounds check) in the implementation of the Transport Layer Security (TLS) heartbeat extension, the heartbeat being behind the bug's name. This vulnerability is classified as a buffer over-read. A fixed version of OpenSSL was released on April 7, 2014, at the same time as Heartbleed was publicly disclosed. At that time, only about 17% of the Internet's secure web servers certified by trusted authorities were believed to be vulnerable to the attack, allowing theft of the servers' private keys and users' session cookies and passwords|
KB-1707 Does ?Heartbleed? impact Aveksa ACM / RSA IAM?
RSA is aware of this issue and working with Product Organizations to investigate the issue and identify the impact.
RSA has confirmed that RSA Aveksa ACM / IAM is not affected by this vulnerability.
Please refer to the attached document for a more complete listing of RSA product and potential impact.
References to various sources of infomation related to this vulnerability:
OpenSSL versions 1.0.1 through 1.0.1f are indicated to be vulnerable to Heartbeat Vulnerability (CVE-2014-0160).
- For infomation Redhat update packages that remediates this vulnerability labeled with version openssl-1.0.1e-16.el6_5.7
|Notes||Does ?Heartbleed? impact Aveksa ACM / RSA IAM?|
|Legacy Article ID||a66706|