INETCO OpenSSL Heartbleed Statement – April 2014

Summary of OpenSSL Heartbleed Status:

INETCO Insight versions 4.8.3 – 5.4.2 incorporated a version of the OpenSSL package affected by CVE-2014-0160 (“TLS heartbeat read overrun bug”). We have updated our software and our support team will be reaching out to customers running the affected versions to offer assistance.

It is unlikely that a typical INETCO Insight deployment is vulnerable to attacks that exploit this OpenSSL heartbleed bug because our software is usually deployed across private networks, making it difficult for unauthenticated, remote attackers to access either the Event Processor or the Event Collector.

Recommended Actions:

If any component of INETCO Insight is accessible via the public Internet, you should upgrade immediately. This OpenSSL heartbleed bug could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from clients or servers.

We also recommend that customers running INETCO Insight versions 4.8.3 to 5.4.2 upgrade as soon as is feasible. This is to comply with any scheduled or emergency security audits that will flag the version of OpenSSL included in these versions of INETCO Insight.

INETCO Insight 5.4.3 is now available and it includes an updated version of OpenSSL. Customers can download the release and release notes from the support site.

If you are running INETCO Insight 4.8.2 or earlier, you are running an older version of OpenSSL that does not contain the CVE-2014-0160 vulnerability. You do not need to update at this point.

You can learn more about this vulnerability on the CERT website.

Please contact INETCO Support if you have any questions or concerns.