You are viewing limited content. For full access, please sign in.

Question

Question

Heartbleed SSL Vulnerability

Updated April 10, 2014
asked on April 9, 2014 Show version history

 A customer has a concern about the Heartbleed SSL vulnerability that is all over the news.  Does this impact the Laserfiche application?  If so are they any updates to the software that need to be applied to address the vulnerability?

0 0

Answer

SELECTED ANSWER
replied on April 9, 2014

This only applies to applications that use OpenSSL 1.0.1 a~f. Laserfiche does not use OpenSSL in its products. Any custom applications you have that run on web servers that may be affected will need to be reviewed separately.

3 0

Replies

replied on April 9, 2014

Miruna's answer is correct that 99.9% of installations of our web applications are not affected by this since IIS uses a different library.  However, if a customer is doing SSL-encrypted load balancing across several Web Access (or Forms, Mobile, WebLink, etc.) servers, they would likely have the load balancer handle the SSL operations, and proxy plain HTTP to the IIS server hosting the application.  In this situation it's a possibility for the load balancer to use OpenSSL and be potentially vulnerable.

 

I've worked with one customer who had a setup like this, and I'd be surprised if there weren't a few others out there.

6 0
replied on April 10, 2014

Thanks for the additional information Brian.

0 0
replied on April 10, 2014

What about Clients that have their Laserfiche Server in Cloud (at a remote Data Center) and use either the Server's Public IP address or DNS name for the Laserfiche Client to connect? Can they be affected by this vulnerability?

0 0
replied on April 10, 2014 Show version history

Vulnerability depends on the specifics of the device that terminates the SSL connection.  In this case, the desktop client is communicating directly with the Windows machine hosting the Laserfiche server.  So no, that setup does not have this vulnerability.

0 0
replied on April 9, 2014

Thanks Miruna, I'll pass this along to our client.

 

Cathy

0 0
replied on April 9, 2014

Miruna, They do have Weblink so that students can access their records.  Would this impact their Weblink?  Just wanted to make sure I covered everything.

Thanks,
Cathy

0 0
replied on April 9, 2014

No, the LF web products are hosted on IIS, which does not use OpenSSL.

0 0
replied on April 9, 2014

Great, thanks again Miruna for your help and quick response!

 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...