By now, most folks are likely getting tired of hearing about the OpenSSL Heartbleed vulnerability but it's an insanely important thing to address and chances are we're going to be hearing about it for quite some time now as companies get their software, services, websites, apps and more in the clear of the issue entirely.
I've not noticed a lot of concerned BlackBerry users but if you are among those wondering how BlackBerry is handling it and what, if any, software or services were affected by it we now have a full knowledge base article from BlackBerry covering it.
BlackBerry is currently investigating the customer impact of the recently announced OpenSSL vulnerability. BlackBerry customers can rest assured that while BlackBerry continues to investigate, we have determined that BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected and are fully protected from the OpenSSL issue. A list of known affected and unaffected products is supplied in this notice, and may be updated as we complete our investigation.
The OpenSSL heartbeat extension read overflow is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows an attacker to steal the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This issue was addressed in OpenSSL 1.0.1g and a fix is available for integration into affected BlackBerry products. The vulnerability is detailed in CVE-2014-0160.
Further investigation into affected products is ongoing, and BlackBerry is working to determine the full impact of the issue and confirm the best approach for protecting customers. As fixes become available, this notice will be updated.
- BBM for iOS and Android - There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit.
- Secure Work Space for iOS and Android - There are no mitigations for this vulnerability for Secure Work Space for iOS and Android.
- BlackBerry Link for Windows - This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.
- BlackBerry Link for Mac OS - This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.
- BlackBerry Enterprise Service 10
- BlackBerry Enterprise Server 5
- BlackBerry Universal Device Server
- BlackBerry® 10 OS
- BlackBerry® 7.1 OS and earlier
- BBM for BlackBerry smartphones
BlackBerry smartphones are NOT affected by this issue and BlackBerry notes, as the investigations into the affected offerings continues the knowledge base article will be updated accordingly. If you're looking for more info, you can hit the source link to view the entire knowledge base article on the matter.
To be clear though, just because smartphones are unaffected that doesn't instantly mean everything is in the clear. If you're concerned, you should be checking with developers and vendors and resetting your passwords where and when advised to do so.