Heartbleed vulnerability, the serious flaw in OpenSSL's TLS implementation is perhaps the biggest vulnerability in internet history and has sent panic waves. Naturally, you would be very much concerned and we are sure you would want to hear from us on its impact on Password Manager Pro.
If you are wondering what this Heartbleed bug is all about, this is for you: It's a bug in OpenSSL's TLS implementation, a software library used to secure the transmission of private information. It is actually a memory leak exploit that can potentially lead to expose of server keys and could help hackers reach the private computer memory handled by OpenSSL, paving way to the theft of private information. It is indeed a very serious vulnerability.
The good news: PMP is NOT vulnerable to Heartbleed
PMP is not vulnerable to Heartbleed bug due to the following reasons:
Bottom line, you need not worry about the security of your data kept in Password Manager Pro.
If you have configured your own SSL certificate
Since generating keys and signing certificates using OpenSSL does not make it vulnerable to Heartbleed, even if you have configured your own trusted SSL certificate for Password Manager Pro using OpenSSL, you need not worry. However, as a precautionary measure, you may regenerate a CSR with OpenSSL version 1.0.1g and get a new certificate signed and generated from your CA and configure it with Password Manager Pro. Steps to do this are available in our FAQ section.
Please note that we are suggesting this precautionary measure more like changing passwords when a security incident occurs somewhere. Since it is not possible for PMP to know where and how these keys are being used and with what libraries, we suggest regenerating the certificate.
General Information
How to diagnose if your systems are vulnerable?
In case, you want to diagnose if your systems are vulnerable to Heartbleed bug, you may refer to this external post.
Fixing essentially involves the following steps
In case, you find any of your systems vulnerable to Heartbleed bug, following are the typical steps involved in fixing:
Other scenarios to take care
Next Steps
Though PMP with its default SSL certificate is not vulnerable, as a best practice approach, we are planning to patch the certificate with the latest and protected version of OpenSSL(OpenSSL 1.0.1g) and release a new build (PMP version 7002) soon. You may watch our forum for updates on this.
We reassure you that you are quite safe with PMP and need not worry about Heartbleed bug. Do write to PMP support, if you need any assistance / clarifications.
Thanks,
Bala
ManageEngine Password Manager Pro