Is Jasper affected by Heartbleed bug (http://heartbleed.com/)?

[islam.md786]

Hi Teodor,

This is a very critical urgent issue.  So would be nice if you could please reply ASAP.

Question : Is Jasper affected by Heartbleed bug (http://heartbleed.com/)?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Status of different versions:

·         OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

·         OpenSSL 1.0.1g is NOT vulnerable

·         OpenSSL 1.0.0 branch is NOT vulnerable

·         OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

I would like to know which version of OpenSSL is being used in Jasper? 

 

Thanks,

Rofikul

[mgeise]

JasperReports Server does not actually ship with OpenSSL.  It would be library that is on the actual server shipped within the operating system (not within JasperReports Server).  If you have OpenSSL installed on your server, you should be able to do a simple update to it to ensure that you are not vulnerable.  The following has some information on how to run the update on various operating systems.  https://www.digitalocean.com/community/articles/how-to-protect-your-server-against-the-heartbleed-openssl-vulnerability

If your concern is not about the product, but instead about our websites (jaspersoft.com, community.jaspersoft.com, etc), we updated our OpenSSL version very quickly, within the first day of when heartbleed was announced.  We do not feel that any user information has been corrupted, however we recommend that you change your passwords just as recommended by most sites base on this issue.   Regularly changing your passwords is always a good practice to improve security.