Title: Traction TeamPage and the Heartbleed bug — Password Change Recommended for Cloud Customers
On April 7, 2014 a very serious security vulnerability in the popular OpenSSL library was discovered, widely referred to as the HeartBleed bug, see summary below. Like other software companies, Traction Software takes this vulnerabilty very seriously, and has worked diligently to research the HeartBleed bug and update TeamPage software and Cloud hosting configurations using the best security recommendations available. We'll continue to monitor and respond to any related issues, and post updates to this article.
• Customers hosting their own TeamPage software using TeamPage's built in TLS/SSL security (HTTPS Web address) are not vulnerable. TeamPage uses the Oracle / Java encryption library's SSL encryption rather than the OpenSSL library of the host operating system.
• TeamPage Cloud hosted servers were affected, but have been patched and new encryption keys deployed. We recommend that Cloud hosted TeamPage customers change their TeamPage passwords as a precaution. Although TeamPage instances using TeamPage's built-in encryption are not vulnerable, Traction Software's Amazon Web Services (AWS) cloud hosting configuration uses Apache reverse proxy servers, which do use OpenSSL and which were vulnerable. Our Cloud hosting system's Apache server and AWS Linux OS were updated 9-10 April to close the Heartbleed vulnerability. The private keys for all TeamPage Cloud hosted customers were regenerated and installed in early hours of 11 April 2014. It's now safe to change your TeamPage password, and we recommend that you do so.
If you wish to require everyone on your TeamPage server to be required to change their passwords and have Server Setup Permission, you can force a password change using the following link in Server Setup:
If your server is running TeamPage 6.0, you can use this button instead:
• As a security precaution, we recommend that customers with accounts on Traction Software's support server (the server where this message is posted, support.tractions…) also change their passwords. Traction Software's support server is Cloud hosted and uses an Apache reverse proxy server that was patched along with all other TeamPage Cloud instances. The private key and certificate for this server has also been regenerated and tested.
About HeartBleed
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users...
[The Heartbleed] Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."
Quoted from heartbleed.com by www.codenomicon.com one of the two organizations to first discover and report the bug. See heartbleed.com for a more complete description and references to help you understand and deal with this very serious bug.
