IBM WebSphere Commerce sites not vulnerable to the Heartbleed bug
No doubt, development firms and tech gurus are being inundated with questions surrounding the now infamous Heartbleed bug. According to various sources, more than two-thirds of the active sites on the web could have been affected. Coupled with the Target security breach, businesses and consumers alike are becoming more and more uneasy when it comes to data security. To assuage widespread concerns, bloggers, journalists and reporters are pushing info into the mediasphere with explanations and advice to keep the general public properly informed regarding their vulnerabilities.
Even before the crush of published articles, the Heartbleed bug was given its name as well as a logo to raise public awareness of the issue. Officially referred to as CVE-2014-0160, the Heartbleed bug is a vulnerability in the 1.0.1 versions (except 1.0.1g and later) of the OpenSSL software, primarily used by Linux systems making use of open source server software. The vulnerability allows unauthorized users to view up to 64K of system memory from affected servers. This has the potential to allow hackers to get access to sensitive data, including but not limited to user names and unencrypted passwords.
“As long as the vulnerable version of OpenSSL is in use it can be abused,” explained the editors of the website heartbleed.com. “Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”
So as IT teams around the globe are rolling up their sleeves, eCommerce business owners are dealing with the situation, as well. Responding to concerned clients and customers, however, comes with its own level of difficulty. Essentially, there’s no way of knowing if a site was exploited. The bug leaves no traces of anything abnormal happening to the logs. Therefore, alerts going out to customers should encourage them to protect themselves from future attacks by changing their personal passwords for any websites, social platforms or online service providers that they use personally or professionally.
For those fortunate businesses that employ IBM’s WebSphere Commerce – sites such as Home Depot, Lowe’s, Staples, Sears, Target and Costco – their software was, by default, not susceptible to the Heartbleed bug. In an IBM flash notice regarding this bug, “this vulnerability does NOT affect the SSL that is used by IBM WebSphere Application Server in all editions and all platforms. The IBM Java JSSE does not use OpenSSL.” Furthermore, “this vulnerability does NOT affect the IBM HTTP Server component in all editions and all platforms. The GSKit component of IBM HTTP Server does not use OpenSSL SSL code.”
But that doesn’t necessarily mean that these business owners are totally in the clear. Applying the fix to all of their non-IBM WebSphere software using the affected OpenSSL software is highly recommended. As a reminder, versions of OpenSSL prior to 1.0.1 and version 1.0.1g and later are not affected by this bug.
To be clear, clients, customers and in-house personnel are encouraged to change their passwords on any and all online services regardless of whether those sites have been identified as having been vulnerable to this issue.
For more information about eCommerce best practices, subscribe to the NetSphere Strategies blog. We strive to keep our readers in the know about situations like the Heartbleed bug and other security issues affecting eCommerce websites.