What GIS applications and services have been affected by the Heartbleed vulnerability?

Question

Heartbleed is the name given to a recent, very severe security vulnerability in the OpenSSL library, used in a large number of websites and applications. It is being called one of the worst computer security vulnerabilities in recent history. Even StackExchange was vulnerable as of April 8th (since resolved according to this answer).

You can read more about it in these Security.SE questions:

• How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?
• What should a website operator do about the Heartbleed OpenSSL exploit?
• What clients are proven to be vulnerable to Heartbleed?

What GIS applications and services have been affected by this vulnerability?

Link to any official statements by the application maintainers about the vulnerability and/or how to resolve it.

Note to moderators: Please mark this question and answers as community wiki, as this is more of a PSA than a Q&A.

Answer 1

Here is one statement I found so far, about FME Cloud (which had the vulnerable version installed, but not in use):

FME Cloud is not vulnerable to CVE-2014-0160, AKA Heartbleed

The engineering team at FME Cloud has been working to assess the impact for our customers in the wake of April 7th’s disclosure of CVE-2014-0160, known as Heartbleed. We joined nearly every service provider on the Internet responding to this critical vulnerability in OpenSSL’s handling of heartbeat packets and conducted a comprehensive security review in response.

The servers hosting the FME Cloud website are using a version of OpenSSL which is not affected by the vulnerability. As for our customers’ FME Server Cloud instances, they are running on Linux servers which have the vulnerable OpenSSL installed, but fortunately the web application server (Tomcat) that FME Server uses underneath does not use the OpenSSL library. The FME Server instances that are currently running are therefore not exposed to this vulnerability. You can test this by entering the URL here, http://filippo.io/Heartbleed/.

As a best practice we have patched the OpenSSL package so all new instances that you launch will be running the patched version.

If you have any questions or concerns then don’t hesitate to contact us.

Answer 2

The ESRI Support Services blog has a statement about Heartbleed, which refers users to this tech article:

The Heartbleed Bug – What does it mean for you?

As you may or may not be aware, a recent security vulnerability was unveiled for servers using the OpenSSL cryptographic library that affects many different products and software worldwide. This vulnerability has been codenamed ‘The Heartbleed Bug’, and potentially allows attackers to read the memory of a protected server or client and retrieve encrypted personal information from that server/client.

As a result, Esri staff have been performing maintenance to validate, secure, and patch Esri servers and infrastructure to close this vulnerability and ensure Esri customers are protected.

Please read the following KB Article for further information regarding the Heartbleed bug and whether any customer action is required for your Esri software.

A note about the desktop software out of the tech article:

Desktop Products

• ArcGIS for Desktop/Engine – No customer action is required. The vulnerable OpenSSL library is included with ArcGIS Desktop releases 10.1 SP1, 10.2, 10.2.1, and 10.2.2, but it is not utilized in a manner where the vulnerability is exploitable.

• ArcGIS Runtime – No customer action is required. The vulnerable OpenSSL library is included with Runtime WPF/Qt/Java releases 10.1.1, 10.2, 10.2.2, and the iOS/Android 10.2.2 release, but it is not utilized in a manner where the vulnerability is exploitable.

There is a potentially exploitable vulnerability in ArcGIS Server for for Linux, according to this article:

ArcGIS for Server on Linux 10.2, 10.2.1, and 10.2.2 are vulnerable, not as a server, but as a client to other servers which happens only in the Print Service and Publishing Services when they connect to remote ArcGIS Servers. That means that encryption for ArcGIS for Server on Linux has not been compromised. However, it means that attackers may be able to discover where ArcGIS for Server has been installed, the name of the running user, and potentially even be able to crash the print service.

A patch will be available shortly to address the issue for ArcGIS Server on Linux.

Answer 3

PostgreSQL (and by extension, PostGIS) may be affected, according to this writeup by Magnus Hagander, one of the core team members:

PostgreSQL and the OpenSSL Heartbleed vulnerability

Is your PostgreSQL installation vulnerable to the Heartbleed bug in OpenSSL? The TL;DR; version is "maybe, it depends, you should read this whole thing to find out". If you are vulnerable, it is a high risk vulnerability!

The slightly longer version is that it will be vulnerable if you are using SSL, and not vulnerable if you are not. But the situation is not quite that easy, as you may be using SSL even without planning to. PostgreSQL also not provide any extra protection against the bug - if you are using SSL, you are vulnerable to the bug just as with any other service.

As the bug is in OpenSSL, however, what you need to get patched is your OpenSSL installation and not PostgreSQL itself. And of course, remember to restart your services (this includes both PostgreSQL and any other services using SSL on your system). You will then have to consider in your scenario if you have to replace your SSL keys or not - the same rules apply as to any other service.

Additionally, Amazon made this brief statement about a few affected AWS-RDS PostgreSQL instances:

RDS PostgreSQL Updated to Address OpenSSL Vulnerability

April 08, 2014

A small number of Amazon RDS PostgreSQL instances were restarted to apply a fix to address the OpenSSL Heartbleed bug. All RDS instances are operating normally.

Answer 4

Mapbox addressed the vulnerability with this statement:

Addressing the Heartbleed OpenSSL bug at Mapbox

We have secured our infrastructure from Heartbleed, a serious OpenSSL vulnerability that caused security on most of the internet to virtually evaporate overnight (good post by the New York Times). There is no indication that any data on Mapbox was compromised as a result of Heartbleed, but as a precaution, we strongly suggest that you reset your Mapbox password.

Here is a summary of how our engineering team addressed the vulnerability:

• We logged you out of Mapbox.com–you will be required to login again on your next visit.
• All services were reviewed and updated immediately.
• We rotated our SSL certificates and all other security credentials.
• We reviewed all third-party services and worked with their teams to ensure that proper steps were taken to patch their vulnerable services and rotate their credentials.

If you have any questions regarding Heartbleed or anything else, send us a note at support@mapbox.com.