Blog

back to blog
April 18, 2014 | Robert Dempsey

InfiniDB's Response to the "Heartbleed" Bug

In recent days, much has been reported about the "Heartbleed" bug (CVE-2014-0160) - a serious vulnerability in the popular OpenSSL cryptographic library that permits information normally protected by SSL/TLS encription over the Internet for applications such as email and instant messaging, to be stolen.

We want to assure our customers and users of our software that no version of InfiniDB is affected by "Heartbleed".  None of the InfiniDB database components supports SSL and none of them link with any SSL libraries.

The version of the MySQL server Included with InfiniDB can be configured to support SSL connections to SQL clients, but it uses an embedded SSL library (yaSSL) that is not affected by this bug.

However, many supported Linux distributions (including RedHat/CentOS 6, debian 7 and Ubuntu 12.04) are affected.  Administrators are urged to upgrade their installations with the latest OpenSSL packages to remove the vulnerability.  All supported, affected Linux distributions have patches available through their respective package repositories.

Note that for most InfiniDB installations there was never a problem. However, if you have enabled non-InfiniDB services (e.g. Apache httpd), you may be affected.  Specifically for Apache httpd, if you have installed and enabled mod_ssl, you were affected and you should consider any data served up by Apache httpd over an SSL connection to be compromised.

Also, please note that the version of ssh in all supported Linux distributions was never affected by this bug.  Information transferred using ssh on these platforms is believed to remain secure.

InfiniDB customers with additional questions or concerns can contact Customer Support at support@infinidb.co or via the OTRS ticket system.  InfiniDB users can also reach us via the InfiniDB Community Forums or on Twitter @InfiniDB.

Category
Categories