Project and Portfolio Management Practitioners Forum
cancel

OpenSSL security issue

SOLVED
Go to solution
Highlighted
Jim Esler
Acclaimed Contributor.

OpenSSL security issue

Is any version of PPM affected by the Heartbleed OpenSSL vulnerability?

3 REPLIES
Etienne_Canaud
Outstanding Contributor.
Solution

Re: OpenSSL security issue

Hi Jim,

 

PPM itself doesn't use OpenSSL, however it is common in PPM Production environment to deploy an Apache Web Server in front of PPM and leverage OpenSSL in this Apache Web Server to provide HTTPS.

 

So PPM itself is not affected, however your Apache Web Server is if it's configured to use a vulnerable version of OpenSSL (1.0.1 to 1.0.1f). If you are using a version of OpenSSL earlier than 1.0.1, you are not impacted by the vulnerability. If you are using a vulnerable version, you should upgrade as soon as possible to 1.0.1g.

 

It is up to your administrators to take follow-up actions after upgrading to the latest version (re-generate SSL certificates, or even re-issue passwords for all PPM users, etc), though the risk of PPM leaking password information should be considered limited if you don't use SSO, i.e. if the authentication is NOT done at the Web Server level, and that PPM Server and Apache Server are not located on the same physical machine (if I'm correct, the vulnerability in Heartbleed gives an attacker arbitrary memory access to the machine where OpenSSL is running, so if PPM is on a different machine, they will only have access to information stored in the memory of the Server hosting Apache+OpenSSL. That being said, I cannot tell how much information regarding PPM authentication data will Apache store in its memory).

 

Considering the severity of this vulnerability and the (justified) concerns it raises in the PPM customer base, I think you should expect a more formal communication from HP about that topic in the coming days.

 

Kind Regards,

Etienne.

Gong_Yi
Contributor.

Re: OpenSSL security issue

Technically, this issue exposes a random 64k memory space to the attacker. So, any bit through the Apache would be leak if the apache server enable SSL engine.

Much worse, the issue can be used repeatedly. An attacker can construct an invalid HTTPs package, send to server, get info, send again, get new info ...

Etienne_Canaud
Outstanding Contributor.

Re: OpenSSL security issue

So this could indeed expose PPM usernames and passwords, as well as business data sent or received by PPM server.

 

Note that all the applications using a server (or hardware loadbalancer) leveraging a vulnerable version of OpenSSL are impacted, this is not specific to PPM.