Bleeding Heart for Heartbleed

By: Ryan Koop, Director of Products and Marketing at Cohesive Networks

Thankfully VNS3 supported versions 2.7, 3.0, 3.01, 3.03, and 3.04 were
not affected by the OpenSSL TLS heartbeat read overrun (CVE-2014–0160)
better known now as the “Heartbleed.”

I feel for all the providers whose products are/were compromised.

I feel for all the users who may have been negatively impacted.

I feel for the OpenSSL Software Foundation (OSF) team members who have contributed to the project.

I feel for all those who will now walk the long road ahead of rebuilding trust, rebuilding systems, and quantifying the potential damage caused by the OpenSSL Heartbleed.

The heartbeat bug and the disclosure timeline will prove to be quite a disruptive event in the consumer technology and enterprise IT markets. More on that in a minute…

How did we escape this potential blood bath?

Cohesive Networks, like most of the sane world, takes advantage of open source software for use in our internal systems as well as in our product offering, VNS3, the cloud network appliance. Cohesive extensively tests and vets all aspects of the VNS3 system before making a new version generally available.

Additionally we, like most of the responsible ISVs/service providers, take advantage of the downstream Linux providers’ practice of just including fixes for security vulnerabilities in certain security libraries like OpenSSL. The result of which is feature freeze on what we spent time and energy testing while still benefiting from the ongoing security patches coming out of the open source project.