#28 Critical Fix: JADE 6.3 & 7.0 OpenSSL vulnerability
Posted: Thu Apr 10, 2014 3:53 pm
This information is relevant to users running JADE 6.3.10 and later, including all 7.0 releases.
A security vulnerability, which could be utilised to provide access to sensitive data, has been identified in the third party OpenSSL libraries used by JADE to encrypt connections between nodes.
The following hot-fixes address this issue and should be applied as soon as possible:
JADE 6.3.09 and earlier versions are not affected by this.
Details of Hotfixes
The hot-fixes contain a recompilation of the latest OpenSSL 1.0.1g source code suitable for use with JADE.
The SSL libraries are not part of the JADE binaries, therefore changes are not automatically downloaded to thin clients. Therefore the INI file setting [JadeAppServer].DownLoadVersion should be changed on the app server to force the download. Refer to 'Appendix B Upgrading Software on Presentation Clients' in the 'JADE Thin Client Guide' for more information, available here: http://www.jade.co.nz/docs/jade/Default ... lients.htm.
Further information on SSL security in JADE, including handling certificates, can be found in the section 'Secure Sockets Layer (SSL) Security' in 'Chapter 2 JADE Security' of the 'JADE Object Manager Guide', available here: http://www.jade.co.nz/docs/jade/Default ... curity.htm. Revoking and re-issuing X.509 certificates is the responsibility of the system administrator and the process to follow depends on the Certificate Authority used. It is outside the scope of JADE Support. The sample certificates supplied with JADE should never be used in a production environment.
Details of Vulnerability
The vulnerability is known as the 'TLS heartbeat read overrun' (CVE-2014-0160) and further details are available here: If you have any further questions, please contact JADE Support.
A security vulnerability, which could be utilised to provide access to sensitive data, has been identified in the third party OpenSSL libraries used by JADE to encrypt connections between nodes.
The following hot-fixes address this issue and should be applied as soon as possible:
- 7.0.08.028
7.0.07.052
6.3.12.011
6.3.11.014
6.3.10.035
JADE 6.3.09 and earlier versions are not affected by this.
Details of Hotfixes
The hot-fixes contain a recompilation of the latest OpenSSL 1.0.1g source code suitable for use with JADE.
The SSL libraries are not part of the JADE binaries, therefore changes are not automatically downloaded to thin clients. Therefore the INI file setting [JadeAppServer].DownLoadVersion should be changed on the app server to force the download. Refer to 'Appendix B Upgrading Software on Presentation Clients' in the 'JADE Thin Client Guide' for more information, available here: http://www.jade.co.nz/docs/jade/Default ... lients.htm.
Further information on SSL security in JADE, including handling certificates, can be found in the section 'Secure Sockets Layer (SSL) Security' in 'Chapter 2 JADE Security' of the 'JADE Object Manager Guide', available here: http://www.jade.co.nz/docs/jade/Default ... curity.htm. Revoking and re-issuing X.509 certificates is the responsibility of the system administrator and the process to follow depends on the Certificate Authority used. It is outside the scope of JADE Support. The sample certificates supplied with JADE should never be used in a production environment.
Details of Vulnerability
The vulnerability is known as the 'TLS heartbeat read overrun' (CVE-2014-0160) and further details are available here: If you have any further questions, please contact JADE Support.