What is Heartbleed?
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many websites and other applications such as email, instant messaging, and VPNs.
Heartbleed can allow an attacker to read the memory of systems using certain versions of OpenSSL, potentially allowing them to access usernames, passwords, or even the secret security keys of the server. Obtaining these keys can allow malicious users to observe all communications on that system, allowing further exploit.
Who are impacted by Heartbleed?
Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL versions 1.0.1 through 1.0.1f in that period is likely vulnerable to the Heartbleed Bug and should take immediate steps to remediate.
While there are some initial reports of attacks based on the Heartbleed vulnerability, these are preliminary reports and it should be noted that it is very difficult to determine if this attack has occurred in the past. Accordingly, even if an organization is not currently vulnerable, it may have been in the past and it should therefore take immediate steps to remediate if they have deployed the vulnerable OpenSSL versions.
What products may be affected?
Trend Micro has identified that Apache Tomcat web server package in EAC 1.0 contains OpenSSL 1.0.1e that is affected by the CVE-2014-0160 vulnerability.
A complete list of affected Trend Micro products can be found here
. Visit this KB regularly as the list is continually being updated with information and solutions as they become available.
Recommended action for EAC 1.0 users?
Download and apply Critical Patch 1189
for EAC 1.0. This patch addresses the CVE-2014-0160 vulnerability. Future releases of EAC will include this critical patch.
Customers who have issues obtaining the solutions or have any questions/issues are advised to contact their authorized Trend Micro support representative for further assistance.