Update 7 (May 26, 2014): Further changes were required to fully resolve the security vulnerability known as Heartbleed.
Update 6 (April 22, 2014): An ebf/SP has been posted to the download site for version 12.0.1 and version 16 on Windows and Linux platforms that resolves this vulnerability. The fix will be released on other platforms as soon as internal testing is completed.
Update 5 (April 21, 2014): An ebf/SP has been posted to the download site for version 16 on Windows platforms that resolves this vulnerability. The fix will be released on other platforms as soon as internal testing is completed.
Update 4: Ten days since discovery, no EBFs yet, no news for a week.
Update 3: There is some discussion of Heartbleed on sap.com; google this:
Update: For the record, current builds of SQL Anywhere use OpenSSL: What impact will the switch to OpenSSL have on SQL Anywhere strong encryption?
Also: Heartblead is a real zero-day vulnerability with its own website: heartbleed.com
Bug, Nicknamed Heartbleed, Potentially Exposes Masses of Sensitive Data
By DANNY YADRON - Wall Street Journal
Updated April 8, 2014 7:29 p.m. ET
An encryption tool used by a large chunk of the Internet is flawed, potentially exposing reams of data meant to be hidden from prying eyes.
The bug, nicknamed Heartbleed by researchers at Google Inc. and cybersecurity firm Codenomicon, could have affected two-thirds of active websites when it was disclosed Monday, they said.
On Tuesday, website operators, including Yahoo Inc., YHOO +2.30% raced to fix the problem. A Yahoo spokeswoman said the company had "made the appropriate corrections." Several researchers said earlier that they had been able to capture Yahoo usernames and passwords.
Many other major websites, such as Google, Amazon.com Inc. AMZN +2.93% and eBay Inc., EBAY +3.49% appeared to be safe, based on a test created by a researcher for cybersecurity company Qualys Inc. QLYS +1.66%
The bug exploits a problem in certain versions of OpenSSL, a free set of encryption tools used by much of the Internet. OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job. The limited resources behind the encryption code highlight a challenge for Web developers amid increased concern about hackers and government snoops.
Websites increasingly use encryption to mask data such as usernames, passwords and credit-card numbers. That prevents a hacker lurking at a coffee shop from grabbing personal information out of the air as it travels to a wireless router. This type of encryption is called SSL, or secure sockets layer, or TLS, or transport layer security. When a website is using these forms of encryption, a padlock appears with the Web address in a browser.
Web servers that use the affected versions of the code store some data unprotected in memory. Hackers can grab that data, and reconstruct information about users or keys that would allow them to monitor past or future encrypted traffic.
"Anyone can reach out to the Internet and scoop out of the data," said Thomas Ptacek, a researcher at Matasano Security in Chicago. "I can be in my office here. I can be in Estonia."
Writing encryption code is complex, so many website operators tap OpenSSL, which is free. It was created in the late 1990s by developers who wanted an easy-to-use encryption scheme for Internet traffic. Its website is bare bones, as are its finances.
Steve Marquess, president of the OpenSSL Software Foundation, a separate entity that solicits funding for the team that manages the code, said its 2013 budget was less than $1 million.
"There's no question more effectively applied manpower would be a good thing," said Mr. Marquess, 59 years old. "Formal code audits would be a good thing."
Mr. Marquess, a former Defense Department consultant who works in Maryland, is the project's only U.S. resident. The other coders are based in Europe to avoid export laws for advanced encryption.
Still, OpenSSL has become synonymous with online encryption. The Defense Department and Department of Homeland Security use OpenSSL, Mr. Marquess said. On its website, Amazon suggests that customers of its Amazon Web Services remote-computing service use OpenSSL when adding encryption to their webpages.
In a blog post, Amazon said it expected to have mitigated the issue for all AWS users by the end of Tuesday.
Ivan Ristic, a Serbian researcher for Qualys, spent much of Monday creating a tool to test whether a website is affected. Traffic to Mr. Ristic's webpage was up seven-fold Tuesday as Web users checked the security status of various websites, he said.
The researchers said the bug had existed in the encryption code for roughly two years. They pointed users to a patch and explained how website operators can protect themselves and their users.
Much of the Internet appeared to be caught off guard by the disclosures.
"If you need strong anonymity or privacy," Roger Dingledine, president of the Tor Project, a web service used to obscure Internet users' identity, wrote in a blog post, "you might want to stay away from the Internet entirely for the next few days while things settle."
I've posted to the SQL Anywhere Community on SCN detailing the vulnerabilities caused by Heartbleed as well as suggested workarounds and resolutions for the problem
Just to let everyone know - we aren't ignoring this question.
answered 09 Apr '14, 13:38