BlackBerry updates BES10 to address Heartbleed OpenSSL vulnerability

By Bla1ze on 22 Apr 2014 02:00 pm EDT
11
loading...
27
loading...
45
loading...

The aftermath of the Heartbleed OpenSSL vulnerability continues to be cleaned up and as we noted previously, BlackBerry has been doing their own investigations into how their own services have been impacted. One measure taken to correct things was issuing an update to BES10 as reflected in their recent updates on the BlackBerry knowledge base surrounding the matter. The notes from the update are brief but outline the details of the affected services and what admins should expect when applying the update.

This is a minor update applicable only to the BlackBerry Work Connect Notification Service; a complete outage is not required before you apply the security software update. You only have to stop the BlackBerry Work Connect Notification Service, apply the security software update, and then start the BlackBerry Work Connect Notification Service. No database updates are required.

OpenSSL vulnerabilities existed in the version of Apache Tomcat that the BlackBerry Work Connect Notification Service used. These vulnerabilities could have allowed a potentially malicious user to obtain sensitive information. These issues are resolved by this interim security software update.

BlackBerry Enterprise Service 10 versions 10.1.1, 10.1.2, 10.1.3, 10.2.0, 10.2.1, 10.2.2

If you're looking for the full details, you can check out the BlackBerry Knowledge base website for the full run down of affected and unaffected software as well as any steps that should be taken to prevent any security issues. Additionally, the interim update can be downloaded directly from the BlackBerry downloads page as well.

Topics: BES10 Enterprise

48 comments

rickster2611

Time to triple the security because this is only the beginning.

BlackBerry...Get it done!! ©

Posted via CB10

Pulkist

10.2.2?
Hmm, what's up with that?

/p.

rthonpm

10.2.2 is a BES software version, not handset.

jrohland

It's about time. Now where is the Link update?

1roguecanuck

Better late than never I guess.

Don't hold your breath on Link

Posted via CB10

jic999

Nothing mentioned for Link.....lets go BlackBerry

Z30 : posted via CB10 app

moegh

Can we download this update?

Posted via CB10 - Q5

garyvirdi

Blackberry is the best, when it comes to security.

Posted via CB10

Paintedeyes

Why is it taking them so long? Many systems had this patched a while ago.

Posted via CB10

Chanlion

If I remember correctly they said BES10 wasn't affected by Heartbleed. So don't know what this is or maybe a preventive patch.

luvsql

I've confirmed with Tier2 support at Blackberry that this is NOT needed unless you have iPhones/Androids using the Secure Workspace (using the new Gold licenses if upgraded to 10.2.2). If you just have Blackberries it's not needed. If you just have iPhones/Android activated using the NON-secure workspace, it's not needed.

masterful

Thanks for the confirmation and that is what I have read as well on the original note

 Slicing using my 

BES10 Admin

Thanks for the info

Posted via CB10

smart548

Thx for explanation! That comment should be in BOLD :)

Posted via CB10

BBrico

So wait...what your saying is...if an organization has just BB's on their systems the update is NOT needed because the vulnerabilities did not affect BB's devices but if DOES affect iOS and Android devices? WOW...NO WAY! STOP the press.

See and again, we argued tooth and nail at my organization to limits devices to BB's. Of course that went nowhere at all because so many former BB's users crossed over to Android & iOS devices. We developed a risk assessment involving the use of these devices and a risk assessment involving BB devices. COMPLETELY different set of risk.

Way to go BB....now let the world outside of IT departments know about this!!!!!!!!

Prem WatsApp

A single vendor solution has many benefits and avoids overlooking risks resulting from fragmentation.

Now, this news won't go too far, "the press" won't allow it.

"No Q10?" -> "Buy from Chen... "

canadian nick

Thank you

Posted via CB10

avatsaev

So BES was accessible by NSA all this time?

masterful

Where did you come up with that?

 Slicing using my 

Rootbrian

Where is your source? I don't see one so I call rubbish.

Posted via CrackBerry 10 (CB10) application using my BlackBerry Q10.

avatsaev

call it whatever you want

jcarlos100

Source?

Posted via CB10

avatsaev

source: common sens (apparently crackberry users aren't very familiar with it)

If they patched it, that means BES was vulnerable, heartbleed was introduced several years ago, discovered just now. It is known that NSA was using this bug to steal sensible data (source? the whole god damn internet, google it).
I bet 99% of CBers don't even know what heart bleed is, how it works, or how big the consequences can be if it's successfully exploited.

Prem WatsApp

Yes, BES was vulnerable, if used with Android and iOS devices. No patch needed, if you use BlackBerry devices.

Also, if you read the BlackBerry Knowledge base article, the attacker already needs to have access to you network to exploit most of the vulnerabilities, but then it's already too late.

The most difficult part is securing the CISCO / MS Windows based infrastructure BES runs on, not BES itself.

Just my two cents.

"No Q10?" -> "Buy from Chen... "

mamat7055

That why we don't need android shit over here ( BlackBerry) we more secure than guantanamo bay haha :)

Posted via CB10

Cheeky Fox

Now, where is the BBM update for Apple and Android? They said it would be ready on Friday already....

zocster

BBM updated few days ago already has the security in place, not to worry. Go to your respective playstore

Cheeky Fox

They noted those were only bug fixes and performance improvements not security fixes. Also why do they put out a press release for this and not for BBM.

Posted via CB10

zocster

Non-Affected Software

  • BBM for iOS version 2.1.1.64 and later
  • BBM for Android version 2.1.1.53 and later

It's all apart of the big KB update linked on the post

Cheeky Fox

Thanks

Posted via CB10

tripple dunk

Soo basically the NSA and CSEC already are in...

Great.

White Z10

TranceRomance

I'm....I'm BLEEEEEEding!

Posted via CB10 with my T-Mobile USA (Only T-Mo rep still pushing)  ‎BlackBerry Q10...SON! (Soon to be the almighty Z30!)

Observation Junkie

Here, have an elastoplast....... that should stop it.
:)

 Posted by the Crackberry Pirate 

TranceRomance

Hahaha!.........what's that?

Posted via CB10 with my T-Mobile USA (Only T-Mo rep still pushing)  ‎BlackBerry Q10...SON! (Soon to be the almighty Z30!)

sorinv

Good luck with securing Cisco gear and Linksys, etc. All routers a have backdoors.
Just search for Easter Egg...
What is surprising here is that BlackBerry and others (Google, Cisco, etc.) did not verify the openssl software. How can you incorporate third party software into your products without verification!!?!
This is unbelievable and very likely intentional.

Posted via CB10

qwertycommander

Relax people. BlackBerry = security, that's one reason why we own one.

sorinv

What kind of logic is that?

Posted via CB10

Sith_Apprentice

Ok, so to put all of this debate to rest, here is what is patched and what was vulnerable in BES 10.

 

BES 10 was incorrectly excluded from the vulnerable software list originally. In fact, a specific portion of the Universal Device Services used OpenSSL. The BlackBerry Work Connect Notification Service was vulnerable to heartbleed. BlackBerry updated their KB (listed above) The Work Connect Notification Service ONLY does the following:

 

BlackBerry Work Connect Notification Service

The BlackBerry Work Connect Notification Service is a web service responsible for providing new or changed mail and organizer notifications to the Work Connect app within the work space on iOS devices.

 

 

So that is all. BlackBerry is the only major MDM that had a core product vulnerable, and this is NOT a good thing. They did patch it very quickly though.

Dave Bourque

It isn't incorrectly excluded... it was fixed a long time ago.

Z10STL100-3/10.2.1.2141

Sith_Apprentice

What are you talking about?

This fix was released yesterday. The initial PR from BlackBerry said that BES10 was NOT vulnerable. It was, in fact, vulnerable. If you have not installed this patch, it is in fact, STILL vulnerable.

ojaninoa10304

You need to get this thing done! This is a serious security issue.

Posted via CB10

Aaron Cake

Obviously RIM needed to update to correct this, but on any properly configured BES10 and network, this should be a non-issue. No admin in their right mind would ever make the BES10 management and control services visible from outside the network to the wilds of the Internet. True, this does not guard against internal attacks but anyone with sufficient security needs to consider internal attacks possible should have all the management of their critical infrastructure on a different LAN or VLAN anyway so it isn't directly accessible by users.

Sith_Apprentice

Keep in mind this made your entire iOS (both device and server side) connection to BES10 vulnerable. You wouldnt necessarily need a breach to start here, but this is another attack vector into the network. While this isnt as severe as it could be, it definitely is nothing to ignore.

jtv1

I am finding it difficult to keep up with some of the jargon here.

My concerns are, when am at home, my Z10 is my only device I have to connect to the internet, via my hotspot.
Like while am writing this to you on my phone, I am also connected to one or two of my laptops (Win7), it is only when am away with my laptop at friends, that I may use their Wifi for a connection.

I don't have BlackBerry Enterprise applications but I do have BlackBerry Link on both of my laptops.

Should it be of great concern to me to worry about this heartbleed bug due to my use of the BB10 Link when am at my friends and do I have to keep this concern when I use my phone as my hotspot connector.

I hope I've spoken in the simplest terms possible on my account.

jtv1

Nicholas Sokach

Have tried to download said offering. Got message "page could not be found."?????

Posted via CB10

rudedogg585

SSL Handshake Failed. I got this error code last week. My calendar was reading April 9 but in fact it was April 24. No Google no BlackBerry World. Went to settings and went To Auto Update Time/Date. Problem fixed. It had set itself to manual. ???

Posted via CB10