Do I need to be worried about the SSL Heartbleed vulnerability?

I am sure that many of you by now heard or read about the Heartbleed bug that has been in the IT news for a few days now. The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. This is a very popular used network software that many companies and services on the internet use for encrypting their services. Websites & online services such as Facebook, Tumblr, Google, Yahoo, Gmail, Yahoo mail,  Amazon web services, GoDaddy and many more use the affected OpenSSL version and therefore are sensitive for this bug.

Luckily it seems that the bug was discovered by security teams before malicious hackers were able to exploit this but the consensus remains that you need to change your password as soon as possible with all online services as a precautionary measure. At the time of writing, many of the major companies have already updated their platforms to fix the bug and are now advising their customers to change their password.

Are all webservers affected?

Yes and no… The Heartbleed bug is present in the OpenSSL implementation of SSL and TLS. Typically you will see this open-source implementation running on servers with Apache and nginx. Microsoft’s IIS webserver is not using OpenSSL by default but uses its own Secure Channel implementation which is not affected by this bug.

However, some software applications can be ported from Linux or appliance versions to a Windows version on IIS and therefore could still use OpenSSL. In case of doubt, always check with your software vendor.

Are only web services affected?

No. A lot of attention goes to major websites that are affected but OpenSSL can be a part of many applications. VMware has released two knowledge base articles where they state which versions of their software is affected. ESXi 5.5, vCenter Server 5.5, VMware Fusion 6.0.x and many more are amongst the products using OpenSSL 1.0.1 and are affected by this vulnerability.

If you are using VMware or one of its affiliated products then make sure to check out their two KB’s for follow-up

Microsoft Azure has confirmed that their services are not affected but if you are running Linux images on their cloud you might be affected after all. Even if you are running Linux images on Hyper-V in your own datacenter and expose those to the internet you could be affected.

What about Veeam Software's products?

Veeam Software products are NOT vulnerable to the Heartbleed bug.

Veeam Backup & Replication

Veeam Backup & Replication is running on Windows servers and can be patched using standard MS patching procedures & best practices. While in this case Microsoft is not harmed by this specific bug, running a data protection solution on software that is regularly updated and patched against security risks is a best practices and is much less likely to become compromised compared to closed solutions such as appliances. Veeam therefore always recommends to apply Microsoft best practices around Microsoft patching in your data center.

Our appliances in Veeam Backup & Replication

Although our product is running on a Windows server operating system, we do have two helper appliances. One is used to do file-level recovery in Linux and the other one is used for our virtual lab technology. We can confirm that neither of them are running SSL servers of affected versions and therefore are not affected.


Websites that are used within our product range such as the Veeam Backup Enterprise Manager management website, 1-click restore, Veeam One, Veeam Virtualization Extensions Web UI and others are running on top of IIS and using Microsoft’s Secure Channel implementation and therefore are not affected by Heartbleed.

Additional information

Heartbleed website:

Doug Hazelman (VMDoug)
Doug Hazelman (VMDoug)

Doug Hazelman is Vice President, Product Strategy, Chief Evangelist. Doug consults with customers, partners and industry analysts on key considerations for implementing virtual server infrastructures. He works with Veeam’s R&D team to enhance and develop new Veeam products to address market needs, and advises customers on best practices for managing virtual environments. Doug shares his expertise via the Veeam blog and other social media outlets. Doug has spoken about virtualization management at VMworld, the Nordic Virtualization Conference, Interop, and other events including regional VMUG meetings. He is a VMware vExpert for 2011 and has also appeared on's "Ask the Experts."

Prior to joining Veeam, Doug was an IT infrastructure consultant with Bennett Adelson. Earlier in his career he was the director of Product Management for Migration Solutions at Quest Software. Doug was with Aelita Software in various technical and product management roles for more than five years before it was acquired by Quest Software in 2004.

More about author
Rate the quality of this Article:
4.56 out of 5 based on 9 votes
Please wait...

Better Backup

Faster. Stronger. Smarter

Learn more