As you may know, a serious vulnerability was recently announced in OpenSSL, commonly referred to as Heartbleed or more officially by its CVE ID CVE-2014-0160. This vulnerability affects the OpenSSL heartbeat mechanism and allows unauthorized access to private data including encryption keys, encrypted traffic and more.
At CFEngine we use OpenSSL both in our infrastructure and in our products. The security of our users and customers is one of our primary concerns, so we immediately began investigating the possible impact of this bug. Here are our findings:
- CFEngine Enterprise and CFEngine Community binary packages are not affected. Versions 3.5.3 and older do not use the OpenSSL encryption protocols (OpenSSL is used internally for encryption, which is unaffected by the bug), and version 3.6 (currently in beta) ships with a non-vulnerable version of OpenSSL for the implementation of its new TLS protocol.
- CFEngine Community 3.6beta1 or 3.6beta2 compiled from source may be affected, as it uses the version of OpenSSL installed on your system. Make sure you check and update OpenSSL if needed, and recompile CFEngine as necessary.
- Our Redmine bugtracker (https://cfengine.com/dev) and our (now deprecated) OTRS bugtracker for Enterprise customers are not affected.
- Our main website (https://cfengine.com/) was affected. The web server has been updated to a non-vulnerable version of OpenSSL. If you have a cfengine.com account, we highly recommend you change your password at https://cfengine.com/inside/editAccount. If you have an account in our old community bugtracker (https://cfengine.com/bugtracker/) you may also want to change your password there (particularly if you reused your password in any other service).
- If you are Enterprise user, we also strongly advise you to change the password of your Zendesk account used for support tickets.
We will continue to monitor this situation and communicate any developments through our blog, or through direct email to customers when appropriate. We are committed to keeping CFEngine as the most secure configuration management solution while keeping an honest and open communication with you. If you have any questions or comments, please contact us at security@cfengine.com, or through your regular support channels if you are an Enterprise customer.
Thank you,
Diego Zamboni Sr. Security Advisor, CFEngine