Is Webthority or Cloud Access Manager affected by the OpenSSL Heartbleed exploit?
The Heartbleed exploit is described in the following articles:
The bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520)
Webthority and Cloud Access Manager are not affected by the OpenSSL Heartbleed exploit.
We have confirmed that Webthority and Cloud Access Manager being a reverse proxy that terminate/reestablish SSL does protect otherwise vulnerable application from the Heartbleed OpenSSL vulnerability.
Here is a more detailed explanation:
• In order to exploit this vulnerability you need to be able to establish an SSL session directly with the server so that you can send modified heatbeat packets to exploit the bug.
• When accessing a vulnerable server via Cloud Access Manager or Webthority the SSL session will be terminated at the proxy and the proxy will establish its own SSL session with the vulnerable server that only it can manipulate. End users can only manipulate the SSL session between them and the proxy (i.e their session).
• So vulnerable servers will be protected against this bug as long as the servers cannot be accessed directly, thus bypassing the proxy.
Any good firewall, for example Sonicwall, can restrict access to applications to just the proxy IP address. Together, you've got Webthority or CAM as your Heartbleed (or future OpenSSL-related vulnerability) mitigation solution.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center