We are using CryptoJS in our application. Since CryptoJS uses OpenSSL, are we vulnerable to the Heartbleed bug? If yes, what can we do to prevent it?
Asked
Active
Viewed 266 times
0
Duncan Jones
- 67,400
- 29
- 193
- 254
user1533947
- 197
- 1
- 1
- 7
-
2Consider asking on security.stackexchange.com – Gareth Apr 14 '14 at 10:52
-
@Gareth Thanks.I have posted there as well.Any suggestions would be appreciated. – user1533947 Apr 14 '14 at 11:02
-
This question belongs on another site in the Stack Exchange network. Perhaps security.stackexchange.com or crypto.stackexchange.com. – jww Apr 14 '14 at 15:23
-
1duplicate: http://security.stackexchange.com/questions/55711/is-crypto-js-vulnerable-to-heartbleed-attack – osgx Apr 14 '14 at 16:44
1 Answers
2
Since 'crypto.js' uses open SSL ,are we vulnerable to heartbleeding attack?
The heartbleed attack is connected to "handling of the Transport Layer Security (TLS) heartbeat extension".
So, heartbleed attack is possible only if crypto.js has TLS / SSL server or client; and you are using its as TLS / SSL server or client.
If you don't use TLS from it, (or if the library has no tls/ssl client as it looks like to be - can't find TLS in sources) - you are not vulnerable to heartbleed.
If yes,what can we do to prevent it?
Update your system's OpenSSL library; Check the servers and clients which are connecting to you for heartbleed vulnerability.
osgx
- 90,338
- 53
- 357
- 513
-
Thanks for your reply.We have downloaded cryptoJS.js from the mentioned resource and it is included in our application package and site. Site is hosted on our server.Do we need to check for any other vulnerability? – user1533947 Apr 14 '14 at 12:10
-
user1533947, you should check the OpenSSL library installed on your server (and update it to the most recent version from this week). If you are using "`https://`" protocol, your web-server daemon (apache, nginx, etc) may be vulnerable to heartbleed. – osgx Apr 14 '14 at 12:25