Question

Is the OpenSSL software used by a particular Ex Libris product affected by the security vulnerability CVE-2014-0160 (also called Heartbleed bug)?

Answer

Most Ex Libris products and services are NOT vulnerable. However, Voyager versions 8.2
and higher, that use HTTPS and are running on Solaris, Linux, or AIX operating systems
(not Windows), are vulnerable to this bug.

Ex Libris is working on the resolution and will provide a security patch shortly. Ex Libris will
update the relevant customers once the fix is ready.

For hosted environments, Ex Libris will apply the script to resolve this security issue.

More details about this bug, which has affected companies and individuals worldwide, can
be found at the following website: http://heartbleed.com/

Additional Information

The OpenSSL versions 1.0.1 up to and including 1.0.1f are affected by the security vulnerability CVE-2014-0160.
The vulnerability has been fixed in OpenSSL version 1.0.1g.

OpenSSL versions lower than 1.0.1 (e.g. the version branches 0.9.8 and 1.0.0) are not affected by the vulnerability.

Sources of information:
https://www.openssl.org/news/secadv_20140407.txt
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
http://heartbleed.com

For instructions on how to determine the version of the OpenSSL software used by one of Ex Libris product please see KCS Article Determine Version of OpenSSL Software used by an Ex Libris Product

• Article last edited: 7/13/2015