Knowledgebase:
Patch for OpenSSL Heartbeat Bug
Posted by , Last modified by on 08 April 2014 11:05 AM

Major vulnerability CVE-2014-0160 has been discovered in the open-source OpenSSL library TLS extension, which allows attackers to obtain server private keys, and thus decrypt sensitive data in SSL communication between server and end users. IceWarp 11.0.0 for Windows and possibly all IceWarp Linux distributions are affected and can be vulnerable, unless patched with the newly released version of OpenSSL 1.0.1g.

Related OpenSSL security advisory:
https://www.openssl.org/news/secadv_20140407.txt

For detailed information see:
http://heartbleed.com

Online test for vulnerability (see also FAQ/status):
http://filippo.io/Heartbleed/

IceWarp customers should immediately apply the patch to their systems as follows.

IceWarp for Windows 11.0.0 32-bit

Please download the the latest version of IceWarp "11.0.0 build 3" from 8th April 2014 (or newer) from http://www.icewarp.com/downloads/public/ and install this version over your current installation.

Or download and apply the patch from http://www.icewarp.com/download/patches/openssl/2014/icewarp32.zip

IceWarp for Windows 11.0.0 64-bit

Please download the the latest version of IceWarp "11.0.0 build 3" from 8th April 2014 (or newer) from
http://www.icewarp.com/downloads/public/ and install this version over your current installation.

Or download and apply the patch from http://www.icewarp.com/download/patches/openssl/2014/icewarp64.zip

IceWarp for Windows 10.4.5 (and older)

These versions are NOT affected (OpenSSL 0.9.8 branch is not vulnerable).

IceWarp for Linux (all versions)

On Linux, IceWarp is using the system's own OpenSSL libraries. Ensure that OpenSSL in your operating system is updated to the latest version (already available in all distributions).

 

Installing the patch for Windows

1. Download the patch (32-bit or 64-bit version) from the link above.

2. Stop all IceWarp services.

3. Extract the dll files and copy them to the root folder of your IceWarp installation.

4. Start all IceWarp services.

 

Regenerating SSL Certificates

There is theoretical possibility the server's private key could have been read by an attacker. Customers who were vulnerable should therefore replace their server SSL certificate. If you are using a self-signed certificate, just generate a new one in console - Certificates - Create CSR/Certificate and set it as the default one. If you have a CA-issued certificate, please contact your CA, most offer a free replacement. If you have IceWarp CA issued certificate (paid for), please contact licensing@icewarp.com and we will issue a free replacement with the same validity.

 

Instructions for non-IceWarp users

Before the OpenSSL libraries are updated in other Windows programs, IceWarp provides a patch version of OpenSSL 1.0.1g library for Windows (libeay32.dll, ssleay32.dll) to general public as a courtesy to all internet users:

(4 vote(s))
Helpful
Not helpful

Comments (0)