0

We are trying to determine our window of vulnerability for Heartbleed. Does anyone have an idea of how to determine which version of OpenSSL was used to build a given Tomcat Native DLL?

Our server has had Tomcat 6 on it (not sure which version of tcnative-1.dll, but trying to track it down), upgraded to Tomcat 7 (with tcnative-1.dll version 1.1.27).

I can't find any information anywhere on which versions of tcnative-1.dll were linked against which openssl versions.

The Apache changelog doesn't have this info, and documentation provides a website that has the DLL it was linked against, but no information about which of the 17 versions it used.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Kevin Day
  • 193
  • 6

2 Answers2

1

The answer can be seen from this bugzilla entry of the apache tomcat project:

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

Affected versions are 1.1.24 until 1.1.29 (the last officially at the moment).

For the versions since 1.1.23 (which was linked against openssl 1.0.0g) you find a VERSIONS file inside of the windows binary packages you can download from the tomcat archive which give information about the libraries.

Earlier tcnative-1 versions at least contain a openssl.exe bundled which can be queried for version information with the command "version".

Andreas Karnetzki
  • 26
  • 1
1

To find the version of OpenSSL used by the tcnative-1.dll, you need to navigate to the \bin folder and issue the below query from the command prompt (for windows) find "OpenSSL" tcnative-1.dll

Note: Use the appropriate grep query for linux systems

Alternately, you can also find the version of the openssl loaded through tomcat in the logs\catalina.log files. This gets printed when the apr initializes and loads it.

Once, you identified the openssl version using the above technique, you can verify the vulnerability through http://en.wikipedia.org/wiki/Heartbleed#Affected_OpenSSL_installations

Balaji Katika
  • 146
  • 1