Is Ice affected by the Heartbleed and CVE-2014-0224 security vulnerabilities?

Serious vulnerabilities in the popular OpenSSL toolkit have recently been discovered and widely report in the media. See for more information about the Heartbleed bug and for details on CVE-2014-0224. The Heartbleed bug affects only OpenSSL versions 1.0.1 to 1.0.1f (inclusive). CVE-2014-0224 affects all versions of OpenSSL 0.9.8, 1.0.0, and 1.0.1 released prior to June 5, 2014.

Depending on the Ice version and the platform you use, Ice and your Ice-based applications can be affected by these issues:

  • Ice for C++, Python, Ruby and PHP, rely on OpenSSL for secure communications using SSL. The IceGrid, IceStorm, Glacier2 and IcePatch2 services are implemented in C++ and as a result they also rely on OpenSSL.
  • Ice for Java and C#/.NET do not use OpenSSL. Likewise, Ice-E, the Ice for JavaScript lab project, and Ice for ActionScript beta, do not use OpenSSL.
  • Ice Touch relies on OpenSSL for secure communications only on macOS, and not on iOS.

Which Ice binary distributions contain the defective versions of OpenSSL?

OpenSSL packages are only included in Ice distributions for Windows. On all other supported platforms, the Ice distributions depend on the OpenSSL packages provided by the operating system vendor.

All Ice binary distributions for Windows released prior to June 10, 2014 contain OpenSSL binaries affected by CVE-2014-0224, including the Windows third-party binary and source distributions. Note that on April 11, 2014 we released Ice 3.5.1-1 packages to address the Heartbleed vulnerability, but the OpenSSL binaries in these distributions are still affected by CVE-2014-0224.

On June 10, 2014 we released new Ice 3.5.1 distributions for Windows containing the latest OpenSSL version (1.0.1h), which includes fixes for CVE-2014-0224.

What should I do if I am using a binary distribution provided by ZeroC?

Ice binaries that use OpenSSL all link dynamically with the OpenSSL libraries (libeay32.dll and libeay32.dll on Windows for example).

On all platforms except Windows, Ice binaries link with OpenSSL libraries provided by your operating system.

  • Windows
    You should:
    • install the latest Ice 3.5.1 binary distribution for Windows, which contains updated OpenSSL DLLs
    • replace the OpenSSL DLLs (libeay32.dll and ssleay32.dll) included with your Ice applications with version 1.0.1h

    Please note that the Ice binary distribution includes multiple builds of these OpenSSL DLLs (for different C++ compilers, and for 32 and 64 bit); we recommend that you replace all OpenSSL DLLs included with your Ice-based applications. You can replace these DLLs without recompiling or relinking anything, in particular neither Ice nor your Ice applications need to be rebuilt.
  • Ubuntu 13.04
    Updates are no longer provided for Ubuntu 13.04, so you will need to build and install OpenSSL 1.0.1h from source. Refer to USN-2165-1 and USN-2232-1 for information on other releases.
  • macOS
    macOS versions up to and including 10.9 include OpenSSL 0.9.8 and therefore are not affected by the Heartbleed bug, but they are still affected by CVE-2014-0224. At the time of this writing, no security update is available for CVE-2014-0224.
  • Solaris 11
    Solaris 11 versions up to and including 11.1 include OpenSSL 1.0.0 and therefore are not affected by the Heartbleed bug, but they are still affected by CVE-2014-0224. At the time of this writing, no fix is available for CVE-2014-0224.

What should I do if I built Ice myself?

You should upgrade to OpenSSL 1.0.1h (or later).