Uniface and the heartbleed bug – action could be required
Author: michael.rabone@uniface.com (Michael Rabone)
The Heartbleed Bug has had some publicity over the last week or so. http://heartbleed.com/ Uniface DOES use the OpenSSL cryptographic software library, and this means that customers apps could be vulnerable. Customers should know if they are using SSL with Uniface, but typically if you are using Uniface with web services or on the web, then you are using SSL. If you need help to determine, please contact support. To eliminate any risk, we are reissuing the last patches made available on Uniface 9.5 and Uniface 9.6 and they will end with the letter ‘s’ (for security). Uniface 9.5 is patch e123s Uniface 9.6 is patch x402s These patches are planned to be available from Wednesday 16th April 2014. Under the hood: We have recompiled the SSL software with an option which closes the heartbleed vulnerability. (-DOPENSSL_NO_HEARTBEATS). With effect from Uniface 9.6.05/MX04 (May 2014) and E124 (Uniface 9.5) we will use OpenSSL version 10.01g which is not vulnerable to the heartbleed bug. Older versions of Uniface are not impacted because they use an older version of OpenSSL which is not vulnerable to the heartbleed bug. Other technologies: Be aware that other technologies used to deploy Uniface applications could also be effect, and we advise customers to check these with the corresponding vendors. Tomcat: In the case of Tomcat, the version that is shipped with Uniface 9.6 is Tomcat 7.0.26, which is not vulnerable to the heartbleed bug, but if you have changed version, please check with Tomcat. Uniface JTi: Supported versions of Uniface JTi are confirmed as not being vulnerable to the heartbleed bug. Redhat Linux: Redhat are shipping patches based on Redhat 6.5. At this time, the most current version of Redhat that we have verified Uniface 9.6 against is Redhat 6.4. We have verified Uniface 9.6.05 (planned for May) against Redhat 6.5. We are aware that customers have deployed older Uniface 9.6 maintenance levels on Redhat 6.5 successfully. Based on this feedback, and our own verification of the Uniface 9.6.05 and Redhat 6.5 combination, we do not expect issues if customers use Redhat maintenance planned to address the heartbleed bug.