Heartbleed is a software bug in the open-source cryptography library OpenSSL, which allows an attacker to read the memory of a server or a client.
The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The attacker could then send a specially-crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent.
More information: http://en.wikipedia.org/wiki/Heartbleed
Multiple components in the Verba system use OpenSSL to secure communication. Affected versions: 7.0.4494 and all earlier releases starting with 6.0.
Please contact the Verba support team for more information or if you need help upgrading your Verba system.
Verba Web Application
The Verba Web Application service uses the Apache Tomcat Native Library which uses the OpenSSL library. More information: http://tomcat.apache.org/native-doc/
As an immediate resolution you can manually update the Apache Tomcat Native Library to the latest version:
Step 1 - Download the new DLL from https://verba.com/downloads/tcnative-1.dll
Step 2 - Replace the DLL on all Verba servers where you deployed the Media Repository role. The file can be located in the c:\Program Files (x86)\Verba\tomcat\bin folder.
Step 3 - Restart the Verba Web Application service.
Alternatively, you can upgrade your complete Verba installation to 7.0.4495 or later. The new build uses the updated Apache Tomcat Native Library.
Verba services communicating with external applications over SSL/TLS
The following Verba services use the OpenSSL library to communicate with external applications using SSL/TLS:
- Verba Central Cisco Recorder Service
- Verba Cisco UC Gateway Recorder Service
In order to resolve the TLS vulnerability, you need to update all Verba servers running these services to 7.0.4495 or later. The new build uses the latest 1.0.1g version of the OpenSSL library.
Other Verba services
Several Verba services use the OpenSSL library for SSL/TLS, however most of these services use the library for internal communication between Verba components only. External applications cannot establish an SSL/TLS connection with these Verba components. In order to mitigate this type of risk to 0, you need to update all Verba servers to 7.0.4495 or later. The new build uses the latest 1.0.1g version of the OpenSSL library.