BlackBerry updates BES10 to address Heartbleed OpenSSL vulnerability

By Bla1ze on 22 Apr 2014 02:00 pm EDT

The aftermath of the Heartbleed OpenSSL vulnerability continues to be cleaned up and as we noted previously, BlackBerry has been doing their own investigations into how their own services have been impacted. One measure taken to correct things was issuing an update to BES10 as reflected in their recent updates on the BlackBerry knowledge base surrounding the matter. The notes from the update are brief but outline the details of the affected services and what admins should expect when applying the update.

This is a minor update applicable only to the BlackBerry Work Connect Notification Service; a complete outage is not required before you apply the security software update. You only have to stop the BlackBerry Work Connect Notification Service, apply the security software update, and then start the BlackBerry Work Connect Notification Service. No database updates are required.

OpenSSL vulnerabilities existed in the version of Apache Tomcat that the BlackBerry Work Connect Notification Service used. These vulnerabilities could have allowed a potentially malicious user to obtain sensitive information. These issues are resolved by this interim security software update.

BlackBerry Enterprise Service 10 versions 10.1.1, 10.1.2, 10.1.3, 10.2.0, 10.2.1, 10.2.2

If you're looking for the full details, you can check out the BlackBerry Knowledge base website for the full run down of affected and unaffected software as well as any steps that should be taken to prevent any security issues. Additionally, the interim update can be downloaded directly from the BlackBerry downloads page as well.

Topics: BES10 Enterprise

Reader comments

BlackBerry updates BES10 to address Heartbleed OpenSSL vulnerability


If I remember correctly they said BES10 wasn't affected by Heartbleed. So don't know what this is or maybe a preventive patch.

I've confirmed with Tier2 support at Blackberry that this is NOT needed unless you have iPhones/Androids using the Secure Workspace (using the new Gold licenses if upgraded to 10.2.2). If you just have Blackberries it's not needed. If you just have iPhones/Android activated using the NON-secure workspace, it's not needed.

Thanks for the confirmation and that is what I have read as well on the original note

 Slicing using my 

So wait...what your saying is...if an organization has just BB's on their systems the update is NOT needed because the vulnerabilities did not affect BB's devices but if DOES affect iOS and Android devices? WOW...NO WAY! STOP the press.

See and again, we argued tooth and nail at my organization to limits devices to BB's. Of course that went nowhere at all because so many former BB's users crossed over to Android & iOS devices. We developed a risk assessment involving the use of these devices and a risk assessment involving BB devices. COMPLETELY different set of risk.

Way to go let the world outside of IT departments know about this!!!!!!!!

A single vendor solution has many benefits and avoids overlooking risks resulting from fragmentation.

Now, this news won't go too far, "the press" won't allow it.

"No Q10?" -> "Buy from Chen... "

Where is your source? I don't see one so I call rubbish.

Posted via CrackBerry 10 (CB10) application using my BlackBerry Q10.

source: common sens (apparently crackberry users aren't very familiar with it)

If they patched it, that means BES was vulnerable, heartbleed was introduced several years ago, discovered just now. It is known that NSA was using this bug to steal sensible data (source? the whole god damn internet, google it).
I bet 99% of CBers don't even know what heart bleed is, how it works, or how big the consequences can be if it's successfully exploited.

Yes, BES was vulnerable, if used with Android and iOS devices. No patch needed, if you use BlackBerry devices.

Also, if you read the BlackBerry Knowledge base article, the attacker already needs to have access to you network to exploit most of the vulnerabilities, but then it's already too late.

The most difficult part is securing the CISCO / MS Windows based infrastructure BES runs on, not BES itself.

Just my two cents.

"No Q10?" -> "Buy from Chen... "

That why we don't need android shit over here ( BlackBerry) we more secure than guantanamo bay haha :)

Posted via CB10

BBM updated few days ago already has the security in place, not to worry. Go to your respective playstore

They noted those were only bug fixes and performance improvements not security fixes. Also why do they put out a press release for this and not for BBM.

Posted via CB10

Non-Affected Software

  • BBM for iOS version and later
  • BBM for Android version and later

It's all apart of the big KB update linked on the post

I'm....I'm BLEEEEEEding!

Posted via CB10 with my T-Mobile USA (Only T-Mo rep still pushing)  ‎BlackBerry Q10...SON! (Soon to be the almighty Z30!)

Hahaha!.........what's that?

Posted via CB10 with my T-Mobile USA (Only T-Mo rep still pushing)  ‎BlackBerry Q10...SON! (Soon to be the almighty Z30!)

Good luck with securing Cisco gear and Linksys, etc. All routers a have backdoors.
Just search for Easter Egg...
What is surprising here is that BlackBerry and others (Google, Cisco, etc.) did not verify the openssl software. How can you incorporate third party software into your products without verification!!?!
This is unbelievable and very likely intentional.

Posted via CB10

Ok, so to put all of this debate to rest, here is what is patched and what was vulnerable in BES 10.


BES 10 was incorrectly excluded from the vulnerable software list originally. In fact, a specific portion of the Universal Device Services used OpenSSL. The BlackBerry Work Connect Notification Service was vulnerable to heartbleed. BlackBerry updated their KB (listed above) The Work Connect Notification Service ONLY does the following:


BlackBerry Work Connect Notification Service

The BlackBerry Work Connect Notification Service is a web service responsible for providing new or changed mail and organizer notifications to the Work Connect app within the work space on iOS devices.



So that is all. BlackBerry is the only major MDM that had a core product vulnerable, and this is NOT a good thing. They did patch it very quickly though.

What are you talking about?

This fix was released yesterday. The initial PR from BlackBerry said that BES10 was NOT vulnerable. It was, in fact, vulnerable. If you have not installed this patch, it is in fact, STILL vulnerable.

Obviously RIM needed to update to correct this, but on any properly configured BES10 and network, this should be a non-issue. No admin in their right mind would ever make the BES10 management and control services visible from outside the network to the wilds of the Internet. True, this does not guard against internal attacks but anyone with sufficient security needs to consider internal attacks possible should have all the management of their critical infrastructure on a different LAN or VLAN anyway so it isn't directly accessible by users.

Keep in mind this made your entire iOS (both device and server side) connection to BES10 vulnerable. You wouldnt necessarily need a breach to start here, but this is another attack vector into the network. While this isnt as severe as it could be, it definitely is nothing to ignore.

I am finding it difficult to keep up with some of the jargon here.

My concerns are, when am at home, my Z10 is my only device I have to connect to the internet, via my hotspot.
Like while am writing this to you on my phone, I am also connected to one or two of my laptops (Win7), it is only when am away with my laptop at friends, that I may use their Wifi for a connection.

I don't have BlackBerry Enterprise applications but I do have BlackBerry Link on both of my laptops.

Should it be of great concern to me to worry about this heartbleed bug due to my use of the BB10 Link when am at my friends and do I have to keep this concern when I use my phone as my hotspot connector.

I hope I've spoken in the simplest terms possible on my account.


SSL Handshake Failed. I got this error code last week. My calendar was reading April 9 but in fact it was April 24. No Google no BlackBerry World. Went to settings and went To Auto Update Time/Date. Problem fixed. It had set itself to manual. ???

Posted via CB10