I am sure that many of you by now heard or read about the Heartbleed bug that has been in the IT news for a few days now. The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. This is a very popular used network software that many companies and services on the internet use for encrypting their services. Websites & online services such as Facebook, Tumblr, Google, Yahoo, Gmail, Yahoo mail, Amazon web services, GoDaddy and many more use the affected OpenSSL version and therefore are sensitive for this bug.
Luckily it seems that the bug was discovered by security teams before malicious hackers were able to exploit this but the consensus remains that you need to change your password as soon as possible with all online services as a precautionary measure. At the time of writing, many of the major companies have already updated their platforms to fix the bug and are now advising their customers to change their password.
Are all webservers affected?
Yes and no… The Heartbleed bug is present in the OpenSSL implementation of SSL and TLS. Typically you will see this open-source implementation running on servers with Apache and nginx. Microsoft’s IIS webserver is not using OpenSSL by default but uses its own Secure Channel implementation which is not affected by this bug.
However, some software applications can be ported from Linux or appliance versions to a Windows version on IIS and therefore could still use OpenSSL. In case of doubt, always check with your software vendor.
Are only web services affected?
No. A lot of attention goes to major websites that are affected but OpenSSL can be a part of many applications. VMware has released two knowledge base articles where they state which versions of their software is affected. ESXi 5.5, vCenter Server 5.5, VMware Fusion 6.0.x and many more are amongst the products using OpenSSL 1.0.1 and are affected by this vulnerability.
If you are using VMware or one of its affiliated products then make sure to check out their two KB’s for follow-up
Microsoft Azure has confirmed that their services are not affected but if you are running Linux images on their cloud you might be affected after all. Even if you are running Linux images on Hyper-V in your own datacenter and expose those to the internet you could be affected.
What about Veeam Software’s products?
Veeam Software products are NOT vulnerable to the Heartbleed bug.
Veeam Backup & Replication
Veeam Backup & Replication is running on Windows servers and can be patched using standard MS patching procedures & best practices. While in this case Microsoft is not harmed by this specific bug, running a data protection solution on software that is regularly updated and patched against security risks is a best practices and is much less likely to become compromised compared to closed solutions such as appliances. Veeam therefore always recommends to apply Microsoft best practices around Microsoft patching in your data center.
Our appliances in Veeam Backup & Replication
Although our product is running on a Windows server operating system, we do have two helper appliances. One is used to do file-level recovery in Linux and the other one is used for our virtual lab technology. We can confirm that neither of them are running SSL servers of affected versions and therefore are not affected.
Websites that are used within our product range such as the Veeam Backup Enterprise Manager management website, 1-click restore, Veeam One, Veeam Virtualization Extensions Web UI and others are running on top of IIS and using Microsoft’s Secure Channel implementation and therefore are not affected by Heartbleed.
Heartbleed website: http://heartbleed.com/