OpenSSL vulnerability DOES NOT impact Foglight for Virtualization (FVE) and Foglight Storage manager (FSM)

Couple of days ago, a very critical OpenSSL vulnerability came to light. The vulnerability, called Heartbleed, affects some versions of the OpenSSL library (but not all of them).  The vulnerability was introduced in the OpenSSL version 1.0.1 and out since December 2011. The earlier versions do not contain the bug. Reference:

The bug in the OpenSSL’s TLS/DTLS (Transport Layer Security protocols) heartbeat extension allows malicious users to steal the information that’s encrypted using SSL. The SSL encryption is ubiquitous and used by all sorts of applications accessed over the internet, like the websites, email and even some VPNs.

To protect the data against this vulnerability, the websites and applications using the compromised protocol (OpenSSL) must be updated to use the patched version.

The good news is that the Foglight for Virtualization (FVE) is not impacted. Foglight Management Server (FMS), which is a component of FVE, uses Java Secure Socket Extension (JSSE) based encryption, which does not suffer from this particular vulnerability.

Foglight for Virtualization cartridges do NOT use encryption libraries so are not impacted by the bug. Foglight for Storage Manager also does not use OpenSSL functionality and relies on FMS’ JSSE based encryption for server side communication.

In summary, both Foglight for Virtualization and Foglight Storage Manager are NOT impacted by the bug and there is no reason to worry about the data being compromised. If you have any questions or concerns, please feel free to post on this forum or get in touch with us.

Please also refer to the KB on this topic at: