Is Ice affected by the OpenSSL denial-of-service security vulnerabilities?
New versions of OpenSSL were released on March 19, 2015 to correct several security vulnerabilities that an attacker could use to initiate denial-of-service attacks.
On this page:
Is Ice affected?
This is not a vulnerability in Ice but rather in OpenSSL. Whether this affects your application depends on the Ice version and the language mapping(s) that you use:
- Ice 3.5.1 and earlier
- Ice for C++ uses OpenSSL on all supported operating systems.
- Ice for Python, Ice for Ruby, and Ice for PHP are all based on Ice for C++ and therefore use OpenSSL on all supported operating systems.
- The IceGrid, IceStorm, Glacier2 and IcePatch2 services are implemented in C++ and as a result they also rely on OpenSSL.
- Ice for Java is not affected.
- Ice for C#/.NET is not affected.
- Ice 3.6
- Ice for C++ uses OpenSSL on Linux but does not use OpenSSL on macOS or Windows.
- Ice for Python, Ice for Ruby, and Ice for PHP are all based on Ice for C++ and therefore have the same dependencies as Ice for C++.
- Ice for Java is not affected.
- Ice for C#/.NET is not affected.
- Ice 3.7
- Ice for C++ uses OpenSSL on Linux but does not use OpenSSL on macOS. On Windows, users can optionally build a version of IceSSL that uses OpenSSL.
- Ice for Python, Ice for Ruby, and Ice for PHP are all based on Ice for C++ and therefore have the same dependencies as Ice for C++.
- Ice for Java is not affected.
- Ice for C#/.NET is not affected.
Is my Ice application affected?
Your Ice application is only affected if your Ice version and language mapping uses OpenSSL for secure communication, as described above.
Will operating system updates correct the problem?
It depends on the operating system, Ice version, and language mapping(s) that you use:
- Linux
Ice for C++ links dynamically with the native OpenSSL libraries on Linux. Updating your OpenSSL packages will correct the problem. - macOS
Ice for C++ up to and including version 3.5.1 links dynamically with the native OpenSSL libraries on macOS. Operating system updates will correct the problem. - Windows (Ice 3.5.1 and earlier)
All Ice binary distributions for Windows include OpenSSL libraries that Ice for C++ uses for SSL/TLS communication. You will need to take additional action to correct the problem. - Windows (Ice 3.6)
Binary distributions of Ice 3.6 for Windows do not include OpenSSL libraries. No updates are necessary to Ice or the operating system. - Windows (Ice 3.7)
Binary distributions of Ice 3.7 for Windows do not include OpenSSL libraries. A user who built a version of IceSSL that uses OpenSSL should review their build environment to ensure an unaffected version of OpenSSL was used. - Java
No updates are necessary. - C#/.NET
No updates are necessary. - Python/Ruby/PHP
The corrective actions you take for Ice for C++ will also address the problem for these languages. - JavaScript
Browser users are dependent on the operating system or browser vendor.
Which Ice binary distributions are affected?
All Ice binary distributions for Windows released prior to March 20, 2015 contain OpenSSL binaries affected by these vulnerabilities, including the Windows third-party binary and source distributions. Users of these distributions should update their installations.
On all other supported platforms, the Ice distributions up to and including version 3.5.1 depend on the OpenSSL packages provided by the operating system vendor and therefore no Ice updates are necessary.
On March 20, 2015 we released Ice 3.5.1-6 packages for Windows to address these vulnerabilities.
As of Ice 3.6, Ice uses OpenSSL only on Linux. OpenSSL libraries are no longer included in any Ice binary distribution.
What should I do if I am using a Windows binary distribution of Ice 3.5.1 provided by ZeroC?
You should:
- install the latest Ice 3.5.1 binary distribution for Windows, which contains updated OpenSSL DLLs
- replace the OpenSSL DLLs (
libeay32.dll
andssleay32.dll
) included with your Ice applications with version 1.0.1m
Please note that the Ice binary distribution includes multiple builds of these OpenSSL DLLs (for different C++ compilers, and for 32 and 64 bit); we recommend that you replace all OpenSSL DLLs included with your Ice-based applications. You can replace these DLLs without recompiling or relinking anything, in particular neither Ice nor your Ice applications need to be rebuilt.
What should I do if I built Ice myself?
You should upgrade to OpenSSL 1.0.1m (or later).