1

We have a series of cloud servers running JBoss AS 6.1.0 community edition. We restrict access to these systems using SSL. We generate an SSL certificate for each server and then manually distribute it to personnel that require access. The server is its own certificate authority. The cert is not being used to identify the server to users, but to identify users to the server.

Anyway, the point: is JBoss AS 6.1.0 vulnerable to Heartbleed? We use openssl to generate the keys, but from what I understand JBoss AS uses Tomcat/Coyote to do its https stuff. Do they use the OpenSSL library? How can I patch this component of JBoss specifically, if it is a problem? Unfortunately, upgrading JBoss version is not an option.

Len
  • 123
  • 1
  • 5
  • 1
    You can find good explanation here : http://security.stackexchange.com/questions/55139/does-the-heartbleed-vulnerability-affect-apache-tomcat-servers-using-tomcat-nati –  Apr 09 '14 at 06:56

2 Answers2

1

Java implements its own stack of SSL/TLS and does not relay on the OpenSSL or any other SSL implementation library. JBoss is written completely in Java so the answer is no, JBoss is not affected by the Heart Bleed vulnerability.

Florin Asăvoaie
  • 6,932
  • 22
  • 35
  • It depends if your Java/JBoss has Apache Portable Runtime (APR) in use. This answer is correct when you don't use APR. Some JBoss versions come with APR all setup to run out of the box so it is possible you are already using APR without knowing it. Please read the comment attached to the question referencing http://security.stackexchange.com/questions/55139/ – Darryl Miles Apr 10 '14 at 07:37
0

It has nothing to do with JBoss. You just need to upgrade your openssl to v1.0.1g or fall back to v.98. Highly likely they are using TLS with OpenSSL.

Jordan Shaw
  • 101
  • This advice is not worded well, many users of JBoss products will be using Red Hat 6 and there is no 1.0.1g update for RH6, instead you would install 1.0.1e-16 or later (despite this looking like it is within the affected version range it has been patched) see https://rhn.redhat.com/errata/RHSA-2014-0376.html – Darryl Miles Apr 10 '14 at 07:43
  • Use "rpm -q openssl" to see what version you have installed. Versions 1.0.0 and 0.9.x are not affected the vulnerable TLS feature was only added in 1.0.1 (see http://heartbleed.com/ for more info on versions and OS) – Darryl Miles Apr 10 '14 at 07:52