It hasn’t been long since OpenSSL Heartbleed Bug rattled the Internet and I have not posted anything on this blog because I believe bugs exist in any software. But some bugs are more serious than others. And some software is more important than other software with OpenSSL being one such example. It came as a bit of surprise to see this new bug so soon after Heartbleed in OpenSSL announced to the public yesterday in “OpenSSL Security Advisory [05 Jun 2014]“. To quote the advisory:QUOTE: “An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.” ENDQUOTE
WebSphere Application Server, IBM Integration Bus, WebSphere MQ do not use OpenSSL and its users are not at risk. However if you are using Tomcat, ActiveMQ or other Open Source products that rely on OpenSSL you better apply upgrade quickly.