Hi,
The Heartbleed has been confirmed, after investigations, to be an infrastructure issue. Our findings have been published to this blog that outlines the issue context, please take some time to review the details here: http://blogs.atlassian.com/2014/04/openssl-cve-2014-0160-atlassian/
To find out whether you are affected or not, please check the version of OpenSSL that is running on your server. OpenSSL 1.0.1 or 1.0.2 releases may be affected. The entirety of OpenSSLs statement regarding this matter can be accessed after this link: https://www.openssl.org/news/secadv_20140407.txt.
If you have followed our instructions on configuring SSL in any product (for example, https://confluence.atlassian.com/display/STASH/Securing+Stash+with+Tomcat+using+SSL), you are not using Tomcat’s APR and “native” OpenSSL libraries, but Java’s own implementation in javax.net.ssl.
Java SSL does not even support hearbeats.
If you scroll down that page, you will see that the config for APR OpenSSL is different. It includes directives such as SSLCertificateFile and SSLCertificateKeyFile.
If you have installed a WAR distribution, then we are not handling SSL and the app container might be using host’s libraries. ****Again, if you configured the server not to use APR, you’re fine***
Cheers,
Pedro Souza.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.