Managed File Transfer and Heartbleed (Also FTP Servers)

OpenSSL_Heartbleed_Managed_File_TransferThe Heartbleed vulnerability in OpenSSL affects many managed file transfer, secure file transfer, FTP server and FTP client technologies.  File Transfer Consulting has compiled a list of vendor and project statements about Heartbleed remediation here.

(Long story short, the “Heartbleed” vulnerability allows people to request chunks of memory from target servers.  This memory often contains keys, passwords or other juicy bits of information that would otherwise be inaccessible.  This affects certain versions of OpenSSL that allow anyone to specify how much information they want from the server – i.e., untrusted input in a leaky “heartbeat” function – thus the name.  Note that there’s also a client component that may also need to be addressed – more here; cartoon edition for your manager here)

Secure File Transfer Heartbleed Statements

Solarwinds – Serv-U (FTP Server and MFT Server): Open SSL in Serv-U ver 15.x  (TLDR: uses OpenSSL, but version used not affected)

JSCAPE – Multiple Products: JSCAPE products not affected by Heartbleed vulnerability

Cleo – Harmony, Cleo VLTrader, Cleo LexiCom, and Cleo Streem: Cleo Software Unaffected by Heartbleed Bug 

Linoma – Multiple Products: Linoma Software products are not affected by Heartbleed bug

CrushFTP: CrushFTP is not vulnerable to Heartbleed

Ipswitch – MOVEit: Ipswitch’s Response to Heartbleed SSL (TLDR: MOVEit DMZ “Mobile” is affected and needs a patch; everything else not affected)

Ipswitch – WS_FTP Server: Ipswitch’s Response to Heartbleed SSL (TLDR: version 7.6 is affected, please upgrade/patch to latest version of 7.6; other versions not affected)

Ipswitch – MessageWay: Ipswitch’s Response to Heartbleed SSL (TLDR: not affected)

Globalscape – EFT Server: EFT™ Unaffected by “Heartbleed” Exploit  (thanks also to Jonathan Bennetts for early word)

Globalscape – Mail Express: The Heartbleed OpenSSL Vulnerability and Mail Express (TLDR: The “OpenSSL” edition of Mail Express v3.3 is vulnerable but can be mitigated with DMZ Gateway or Microsoft Forefront – expect remediation soon)

Primeur: Heartbleed bug? Not with Primeur!

Thru: Thru is unaffected by the Heartbleed Bug

IBM/Sterling Commerce: IBM Product Security Incident Response Blog – OpenSSL Heartbleed (CVE-2014-0160) (TLDR: Sterling B2B Integrator and Sterling File Gateway are affected: upgrade your OpenSSL to version 1.0.1g+ and replace keys and credentials; Sterling MFT and Gentran not affected)

Axway: VP’s (unofficial) blog post (TLDR: not affected)

Accellion: (affected and released fix – sent statement to customers with details – public announcement expected soon)

ProFTPD: (nothing yet)

Filezilla FTP Server: OpenSSL and FileZilla Server (TLDR: Affected; upgrade to version 0.9.44+)

Attachmate FileXpress: Attachmate Security Update for OpenSSL ‘Heartbleed’ Vulnerability CVE-2014-0160 (TLDR: not affected)

SEEBURGER: SEEBURGER products and services are not vulnerable to the heartbleed bug 

DiCentral: DiCentral Products Not Vulnerable to Online Security Threat “Heartbleed”

GXS:  (statement requested – “GXS’s BizManager/BizLink products are not impacted. The Coyote connector is used in all of the tomcat instances, and only the APR connector in tompcat would be vulnerable!” – Anthony Lloyd)

bTrade: OpenSSL Heartbleed Vulnerability Does Not Affect bTrade Customers

BISCOM: Heartbleed – OpenSSL (TLDR: generally not affected, but if you manually upgraded to OpenSSL 1.0.1, you may be affected)

Cerberus FTP Server: Cerberus FTP Server FAQ (TLDR: version 6.0 is affected – upgrade to version 6.0.7.1 now; version 5.0 and older are not affected)

Townsend Security: Heartbleed Vulnerability and Townsend Security Products (TLDR: not affected)

Rumpus FTP Server: John’s Blog: SSL Vulnerabilities (TLDR: Rumpus for Windows is affected, upgrade to 7.2.21; Rumpus for Mac is not affected unless you manually updated OS X’s OpenSSL)

Obsecure: “Both our Australian products obsecure360 and SwapDox are not affected – Paul Waite, Founder”

Syncplify FTP Server: Syncplify.me software products are immune from the “heartbleed” OpenSSL bug

South River Technologies (SRT) Titan FTP Server:  The Heartbleed Bug – How Does it Affect You? (TLDR: Current editions not affected; pre-2010 editions of Titan FTP – version 7 and earlier – used an older version of OpenSSL and should not be affected, but you can get a free upgrade to a current, non-OpenSSL version just in case anything else is found in OpenSSL)

South River Technologies (SRT) Cornerstone MFT Server: The Heartbleed Bug – How Does it Affect You? (TLDR: not affected)

DataExpedition: “Heartbleed” Does Not Affect DEI Software

DataExpress: Heartbleed Bug (TLDR: not affected)

EnterpriseDT CompleteFTP, edtFTPnet/PRO and edtFTPj/PRO: “Heartbleed” – a catastrophe (TLDR: not affected)

CoreFTP: Heartbleed security vulnerability for Core FTP Server (TLDR: not affected)

File Transfer Clients

Coviant Diplomat (Automated Client): Coviant Software Confirms No Heartbleed Bug

Attachmate Reflection, INFOConnect and EXTRA!: Attachmate Security Update for OpenSSL ‘Heartbleed’ Vulnerability CVE-2014-0160 (TLDR: these products are affected, look for patches soon)

Filezilla FTP Client: Heartbleed bug (CVE-2014-0160 ) (TLDR: not affected)

WinSCP: Tracker Bug 1151 – OpenSSL vulnerability (TLDR: affected, upgrade to version 5.5.3+)

Ipswitch – WS_FTP Pro: Ipswitch’s Response to Heartbleed SSL (TLDR: version 12.4 is affected, get the upgrade/patch; WS_FTP LE and old versions of Pro is not affected) 

Syncplify FTP Script: Syncplify.me software products are immune from the “heartbleed” OpenSSL bug

South River Technologies (SRT) Web Drive:  The Heartbleed Bug – How Does it Affect You? (TLDR: Current editions not affected; pre-2010 editions of WebDrive – version 9 and earlier – used an older version of OpenSSL and should not be affected, but you can get a free upgrade to a current, non-OpenSSL version just in case anything else is found in OpenSSL)

Software AG – webMethods ActiveTransfer: “Software AG’s managed file transfer solution, webMethods ActiveTransfer, is not affected by Heartbleed.” – David Hardman, Senior Manager for B2B and MFT  (A full support statement is available to registered customers.)

SmartFTP – “SmartFTP is not affected as it uses SChannel from Microsoft for TLS/SSL connections.” – Mat Berchtold, SmartSoft Ltd.

Still Looking for More Statements

If you are a file transfer vendor or your file transfer vendor has posted a statement, please send it to us and we will post it here.

Test Your FTP Server (etc.) for Heartbleed

If you want to test your own FTP server or other file transfer technology, you can use one of the following services:

 

About Jonathan Lampe

Andy White and I started File Transfer Consulting in 2011 to solve secure file transfer and managed file transfer issues through strategic analysis, training, integration and custom development. Our unique approach allows us to address complicated issues like no one else.

Before FTC I created and then led the development of Ipswitch's MOVEit managed file transfer software for ten exciting years, including three as VP for R&D and Product Management at Ipswitch (WS_FTP, MessageWay and hosted services). I also served for VP for Product Management for RhinoSoft (Serv-U), where I guided the development of managed file capabilities and marketing that led to its eventual sale to SolarWinds.

Come meet me on Google+ or LinkedIn today!