April 24, 2014

Does HeartBleed effects Siebel?

Does HeartBleed effects Siebel?

Siebel Heartbleed?
Heartbleed and Siebel?
Heartbleed is an OpenSSL implementation vulnerability which was discovered earlier this month and has global impact. It was discovered by OpenSSL, who in turn credits Riku, Antti and Matti at Codenomicon and Neel Mehta of Google Security.

By exploiting this flaw users could steal the private keys and can do all sorts of nasty stuff like man in the middle or forging attacks which seems to be possible only in theory.

It was the worst nightmare for the system engineers and many are still in process to determine the impact to their machines and patching them. According to the list all major web service provider (amazon to google ) were impacted.

As a Siebel customer how does it impacts you? Do you need to worry about your customer's or partner's accounts? 

Answer is a Yes!

Although this problem only impacts the Open SSL implementation on Linux environments, Oracle has still not certified Siebel CRM product as safe from the bug.
Read oracle link for HeartBleed certification:
http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html

Do you need to worry, even if Siebel is not interfaced with any other system?

Probably Yes, with stolen private key (which are usually common for most of the systems in an organisation) hackers can hack other systems. Try to answer these questions for your implementation then plan your strategy:

  1. Is siebel available to customers online? 
  2. Does siebel use SSL?
  3. Have you implemented Siebel on Windows or Linux? OOB Windows is safe from Heartbleed.
  4. Does your implementation communicates with other systems over SSL? for integrating any banking transactions? 
  5. Any third party client used to integrate with SSL? Putty or etc?

How to be safe?

  • Upgrade the Open SSL version : https://access.redhat.com/site/solutions/781793
  • Change your security certificates and keys.
  • Ask your users to change passwords.
  • Subscribe to security updates from Oracle : http://www.oracle.com/technetwork/topics/security/alerts-086861.html
For those who are unware of the bug refer:


Hope it helps.