THE INFORMATION IN THIS ARTICLE APPLIES TO:
- Mail Express v3.3 and later
The "Heartbleed Bug" (CVE-2014-0160) is a serious vulnerability in the popular OpenSSL cryptographic software library (v1.0.1 before 1.0.1g). This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to provide communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The workarounds below also apply to another vulnerability, CVE-2014-0224, which “does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the 'CCS Injection' vulnerability.”
Mail Express uses two secure communication implementations, OpenSSL and JSSE, depending on the communication path being used. The OpenSSL implementation in Mail Express uses v1.0.1c, which has been identified as a vulnerable version. Work is in progress for updating the OpenSSL library to eliminate this vulnerability. Until a patch is released, the workarounds below can be used to remediate the issue.
- Use Globalscape® DMZ Gateway® in conjunction with Mail Express.
- Mail Express uses a different SSL library for its communication with DMZ Gateway and therefore is not susceptible to this vulnerability.
- Pass traffic through a Threat Management Gateway, such as Microsoft Forefront.
- Only Microsoft Forefront has been tested and found to prevent the issue. Results with other applications may vary depending on how they handle the SSL communication.
- Convert all of your current Mail Express connectors in the server.xml file to use JSSE*.
- Some systems may see minor performance degradation due to this change.
- The “FIPS 140-2 approved protocol” setting will be unavailable when using this configuration. Please contact Globalscape customer support to re-enable this.
- You’ll want to match the ciphers and SSLEnabledProtocols attributes to your DMZ connectors.
- You need to edit both the 8443 and the 443 connectors per the attached PDF.
- Changing the SSL library in Mail Express also requires a change in how the SSL certificate is read by the Mail Express system. If you have a custom SSL certificate installed, follow the steps in the attached PDF to manually update your keystore.
- Refer to Tomcat documentation to configure the JSSE connector.
Attached is a PDF of instructions for manually updating the keystore and editing the APR connectors (e.g., 443 and 8443) to use JSSE connectors. Globalscape Customer Support is available to assist you with reconfiguring your server.xml file, if needed.