Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

IBM Notes & Domino are not vulnerable to OpenSSL "Heartbleed" bug (CVE-2014-0160)

Daniel Nashed  9 April 2014 21:41:51
In case you are wondering. IBM Domino is not affected by the OpenSSL "Heartbleed" issues.
Also Traveler (leveraging the Domino HTTP stack) nor the IBM HTTP Stack in Domino 9 on Windows does not use OpenSSL and is not affected.

You still have to update your machines to a current OpenSSL package if you are running a 1.0.1 OpenSSL package.

Here is the technote from IBM --> http://www.ibm.com/support/docview.wss?uid=swg21669782

And here is some additonal information I got from my ISP --> http://faq.hosteurope.de/index.php?cpid=19463

You have to install a current version. on RHEL/CentOS for example 1.0.1e-16 is not affected any more.

After updating the package you have to restart applications using it.

-- Daniel

Comments

1Robert Farstad  16.04.2014 10:09:02  IBM Notes & Domino are not vulnerable to OpenSSL Heartbleed bug (CVE-2014-0160)

Thx for this. I also did some digging regarding IBM Sametime and IBM Connections:

{ Link }

2Thomas Schneider  16.04.2014 20:37:02  IBM Notes & Domino are not vulnerable to OpenSSL Heartbleed bug (CVE-2014-0160)

Hi, but today we got a CVE Record from IBM to update Domino 8.5 an 9.0 'cause it's affected.

3Daniel Nashed  16.04.2014 22:16:26  IBM Notes & Domino are not vulnerable to OpenSSL "Heartbleed" bug (CVE-2014-0160)

@Thomas, can you share the information you got by mail?

4Daniel Nashed  17.04.2014 12:52:04  IBM Notes & Domino are not vulnerable to OpenSSL "Heartbleed" bug (CVE-2014-0160)

Update: I am in contact with Thomas offline and he sent me a link to a page that points to a Sametime 9 vulnerability.

When you have configured TLS on the Sametime 9 Community server it will use OpenSSL which is affected by Heartbleed.

But the technotes speak only about Sametime 9 in this specifiy combination. The default configuration of Sametime 9 does not use OpenSSL.

Domino is not affected. Thomas ment Sametime and not Domino when he replied.

Also there are other Technotes for IBM Mobile Connect, IBM WebSphere Portal, IBM Connections, SmartCloud for Social Business Services, IBM Docs are all NOT affected!

If you are running Sametime 9 with TLS you should take action today!

Thanks Thomas for your feedback!

-- Daniel

http://www.ibm.com/support/docview.wss?uid=swg21670015

http://www.ibm.com/support/docview.wss?uid=swg21670176

5Thomas Schneider  17.04.2014 13:18:45  IBM Notes & Domino are not vulnerable to OpenSSL Heartbleed bug (CVE-2014-0160)

Daniel is right. It affects only Sametime 9 Community Server but was categorizes here at customers site under "domino"

Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]