Phoenix Software’s Response to Customer Concerns Regarding the Heartbleed Bug
Phoenix Software International is aware of the issues associated with the “Heartbleed Bug” (CVE-2014-0160) and has investigated our exposure to this issue. We have determined that our public server uses OpenSSL version 1.0.0, which is known to have no exposure to this exploit. This server is the only public-facing system that customers have access to. Phoenix Software’s office connection to the Internet is through Cisco ASA firewall/VPN devices which Cisco has certified as being free from this exposure.
Any customer data provided to Phoenix is stored in a secure manner either on Microsoft Windows-based systems, Red Hat Enterprise Linux systems or IBM mainframe-based systems. Windows, IBM z/OS, and IBM z/VM are not vulnerable to “Heartbleed” as these systems do not use OpenSSL. Our internal RHEL systems have been checked and also found to be using OpenSSL version 1.0.0. Based on these observations, it is Phoenix Software International’s considered opinion that we have no systems which customer data might transit through or be stored on that are vulnerable to the Heartbleed Bug.
None of Phoenix Software’s products embed, include or make direct use of OpenSSL and thus are not directly exposed to the “Heartbleed Bug”. However, many of our products have components that can communicate among each other over TCP/IP based networks. Some products may offer APIs or other interfaces which allow customer-written code to communicate with the products over these networks. In such cases customers might elect to secure communication links using VPNs or other technologies based on OpenSSL. Such network infrastructures are beyond the control of our products and it is the customer’s responsibility to insure that their network infrastructure does not make use of known, vulnerable versions of OpenSSL.
We continue to monitor this issue and will provide additional information as appropriate.