BlackBerry has released a knowledge base article for those concerned about the Heartbleed OpenSSL vulnerability that that was announced on April 7, 2014.
BlackBerry is currently investigating the customer impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation.
The OpenSSL heartbeat extension read overflow is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows an attacker to steal the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This issue was addressed in OpenSSL 1.0.1g and a fix is available for integration into affected BlackBerry products. The vulnerability is detailed in CVE-2014-0160.
Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.
Affected Software
- BBM for iOS and Android – There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit.
- Secure Work Space for iOS and Android – There are no mitigations for this vulnerability for Secure Work Space for iOS and Android.
- BlackBerry Link for Windows – This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.
- BlackBerry Link for Mac OS – This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.
Non-Affected Software
- BlackBerry Enterprise Service 10
- BlackBerry Enterprise Server 5
- BlackBerry Universal Device Server
- BlackBerry® 10 OS
- BlackBerry® 7.1 OS and earlier
- BBM for BlackBerry smartphones
If you’re concerned, you should be resetting your passwords where and when advised to do so.[signoff predefined=”Enjoy this?” icon=”icon-users”][/signoff]