It has come to our attention that several versions of OpenSSL contain a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as ‘Heartbleed‘ which can leak up to 64K bytes of content from system RAM with each heartbeat exchange.The leaked data could possible contain sensitive information such as usernames and passwords and certificate data.
For more information visit http://heartbleed.com/
The current release of the CAIL SSL Security Facility is based on OpenSSL 1.0.1f, which is affected by this vulnerability. However, we have compiled with heartbeats disabled, which removes the vulnerability. Since the communications CAIL encrypts don’t use heartbeats, this has no effect on operation.
Most customers are using older versions of the CAIL SSL Security Facility which are based on the “0.9.8” branch of OpenSSL and are therefore not affected by the ‘Heartbleed‘ vulnerability.
If there are any questions or you would like to discuss this further, please contact CAIL at : 800-668-5769 X222 , 905-940-9000 X222 , firstname.lastname@example.org
April 10, 2014