THE INFORMATION IN THIS ARTICLE APPLIES TO:
- Mail Express v3.3 and later
DISCUSSION
The "Heartbleed Bug" (CVE-2014-0160) is a serious vulnerability in the popular OpenSSL cryptographic software library (v1.0.1 before 1.0.1g). This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Functionality Explanation:
Mail Express uses two secure communication implementations, OpenSSL and JSSE, depending on the communication path being used. The OpenSSL implementation in Mail Express uses v1.0.1c, which has been identified as a vulnerable version. Work is in progress for updating the OpenSSL library to eliminate this vulnerability. Until a patch is released, the workarounds below can be used to remediate the issue.
Workarounds:
- Use Globalscape® DMZ Gateway® in conjunction with Mail Express.
- Mail Express uses a different SSL library for its communication with DMZ Gateway and therefore is not susceptible to this vulnerability.
- Pass traffic through a Threat Management Gateway, such as Microsoft Forefront.
- Only Microsoft Forefront has been tested and found to prevent the issue. Results with other applications may vary depending on how they handle the SSL communication.
- Convert all of your current Mail Express connectors in the server.xml file to use JSSE*.
- Note 1: Some systems may see minor performance degradation due to this change.
- Note 2: The “FIPS 140-2 approved protocol” setting will be unavailable when using this configuration. Please contact Globalscape customer support to re-enable this.
- Note3 : You’ll want to match the ciphers and SSLEnabledProtocols attributes to your DMZ connector .
- Refer to Tomcat documentation to configure the JSSE connector