Does CVE-2014-0160, known as heartbleed, affect JBoss?
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 5.x
- 6.x
- JBoss Enterprise Web Server (EWS)
- 1.x
- 2.x
Issue
- Does CVE-2014-0160, known as heartbleed, affect JBoss?
- Is JBoss vulnerable to CVE-2014-0160?
- Is JBoss EAP 4.2 and JBoss BRMS 5.3 being affected by CVE-2014-0160 ?
- How to verify the version of openssl shipped with JBoss EAP and JBoss BRMS ?
Resolution
- By default JBoss EAP uses Java's implementation of SSL. So this is not vulnerable as heartbleed affects only OpenSSL 1.0.1 to 1.0.1f.
- See the official Red Hat CVE statement
- If native connectors are in use on RHEL, then these will default to the version of SSL from the RHEL Operating System. On RHEL 6, OpenSSL will potentially need to be updated as described in OpenSSL CVE-2014-0160 Heartbleed bug and Red Hat Enterprise Linux
- JBoss products may provide and use OpenSSL in native components distributed for OS's other than RHEL, but these OpenSSL versions are not vulnerable. Please refer to this solution for details.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments