Is Ice affected by the Heartbleed and CVE-2014-0224 security vulnerabilities?
Serious vulnerabilities in the popular OpenSSL toolkit have recently been discovered and widely report in the media. See heartbleed.com for more information about the Heartbleed bug and openssl.org for details on CVE-2014-0224. The Heartbleed bug affects only OpenSSL versions 1.0.1 to 1.0.1f (inclusive). CVE-2014-0224 affects all versions of OpenSSL 0.9.8, 1.0.0, and 1.0.1 released prior to June 5, 2014.
Depending on the Ice version and the platform you use, Ice and your Ice-based applications can be affected by these issues:
- Ice for C++, Python, Ruby and PHP, rely on OpenSSL for secure communications using SSL. The IceGrid, IceStorm, Glacier2 and IcePatch2 services are implemented in C++ and as a result they also rely on OpenSSL.
- Ice for Java and C#/.NET do not use OpenSSL. Likewise, Ice-E, the Ice for JavaScript lab project, and Ice for ActionScript beta, do not use OpenSSL.
- Ice Touch relies on OpenSSL for secure communications only on macOS, and not on iOS.
Which Ice binary distributions contain the defective versions of OpenSSL?
OpenSSL packages are only included in Ice distributions for Windows. On all other supported platforms, the Ice distributions depend on the OpenSSL packages provided by the operating system vendor.
All Ice binary distributions for Windows released prior to June 10, 2014 contain OpenSSL binaries affected by CVE-2014-0224, including the Windows third-party binary and source distributions. Note that on April 11, 2014 we released Ice 3.5.1-1 packages to address the Heartbleed vulnerability, but the OpenSSL binaries in these distributions are still affected by CVE-2014-0224.
On June 10, 2014 we released new Ice 3.5.1 distributions for Windows containing the latest OpenSSL version (1.0.1h), which includes fixes for CVE-2014-0224.
What should I do if I am using a binary distribution provided by ZeroC?
Ice binaries that use OpenSSL all link dynamically with the OpenSSL libraries (libeay32.dll
and libeay32.dll
on Windows for example).
On all platforms except Windows, Ice binaries link with OpenSSL libraries provided by your operating system.
- Windows
You should:- install the latest Ice 3.5.1 binary distribution for Windows, which contains updated OpenSSL DLLs
- replace the OpenSSL DLLs (
libeay32.dll
andssleay32.dll
) included with your Ice applications with version 1.0.1h
- RHEL 6
Upgrade your OpenSSL RPM. There is no need to rebuild or update Ice after the upgrade.
- SLES 11
Upgrade your OpenSSL RPM. There is no need to rebuild or update Ice after the upgrade.
- Amazon Linux
Upgrade your OpenSSL RPM. There is no need to rebuild or update Ice after the upgrade.
- Ubuntu 13.04
Updates are no longer provided for Ubuntu 13.04, so you will need to build and install OpenSSL 1.0.1h from source. Refer to USN-2165-1 and USN-2232-1 for information on other releases.
- Ubuntu 14.04
Upgrade your OpenSSL package. There is no need to rebuild or update Ice after the upgrade.
- macOS
macOS versions up to and including 10.9 include OpenSSL 0.9.8 and therefore are not affected by the Heartbleed bug, but they are still affected by CVE-2014-0224. At the time of this writing, no security update is available for CVE-2014-0224.
- Solaris 11
Solaris 11 versions up to and including 11.1 include OpenSSL 1.0.0 and therefore are not affected by the Heartbleed bug, but they are still affected by CVE-2014-0224. At the time of this writing, no fix is available for CVE-2014-0224.
What should I do if I built Ice myself?
You should upgrade to OpenSSL 1.0.1h (or later).