Important Security Update from Scala regarding “Heartbleed”
At Scala, we take our partners’ and our customers’ security seriously. As you may know, this week a significant Internet security flaw, CVE-2014-0160, nicknamed “Heartbleed” was discovered in a widely used piece of software known as OpenSSL. We’d like to share with you the status of Scala’s products and services, and what steps if any you should consider taking.
Our Content Manager web application can be deployed to support HTTPS. Content Manager uses the Java implementation of the SSL technology to encrypt your connections, and this implementation does not include any vulnerable versions of OpenSSL. This is true for all versions of Content Manager from the beginning of this product to the current Release 10.2.2.
That said, there are a couple of cases where you should look further at other aspects of the overall Content Manager network configuration:
1. If you use a network security appliance or front-end server to handle SSL encryption, then you should check with the corresponding vendor or check the configuration to see if this device is affected, and update it if necessary.
2. Content Manager uses the Tomcat web server (http://tomcat.apache.org). Tomcat supports a helper library called the “Apache Portable Runtime” or the “Tomcat Native” library. This library boosts Tomcat’s performance by handling certain tasks including SSL more efficiently. Versions 1.1.24 through 1.1.29 of this library use a version of OpenSSL that is vulnerable to Heartbleed. Scala’s installers don’t deploy this library; if you or a third-party added this to your Content Manager server, we recommend you remove it until a patched version becomes available.
We’ve verified the Content Manager services we host for our customers, and the security infrastructure around them, and they do not contain the vulnerable versions of OpenSSL and are thus not affected by the Heartbleed problem.
The Scala Android Player does include a version of OpenSSL that contains the vulnerable code. The Android Player is set up as a network client. The only way we are aware of to attack a network client containing a vulnerable version of OpenSSL is by compromising the server or access to the server, therefore we recommend verifying the security of the server and access to it.
The Scala Player for Windows / Windows Embedded, and Scala Designer, do not contain the vulnerable versions of OpenSSL, and are thus not affected by the Heartbleed problem.
Our customer-facing and partner-facing Scala web sites are not affected, with one exception:
- The scala.com/scp partner portal was using the vulnerable version of OpenSSL, and has now been updated to mitigate the vulnerability.
We will have an additional information update regarding SignChannel, early next week.
The nature of the Heartbleed problem means we have no way of knowing if that formerly-vulnerable server was probed by malicious actors. We have no information that any data was compromised. Nonetheless, we recommend that our partners change the passwords they use for the scala.com/scp service.
If you have any questions, please don’t hesitate to contact your Scala Partner representative. We will get back to you as soon as possible. I am grateful to many members of the Scala technical staff who assisted in the analysis and response.
Peter Cherna, CTO