0

We are using CryptoJS in our application. Since CryptoJS uses OpenSSL, are we vulnerable to the Heartbleed bug? If yes, what can we do to prevent it?

Duncan Jones
  • 67,400
  • 29
  • 193
  • 254
user1533947
  • 197
  • 1
  • 1
  • 7

1 Answers1

2

Since 'crypto.js' uses open SSL ,are we vulnerable to heartbleeding attack?

The heartbleed attack is connected to "handling of the Transport Layer Security (TLS) heartbeat extension".

So, heartbleed attack is possible only if crypto.js has TLS / SSL server or client; and you are using its as TLS / SSL server or client.

If you don't use TLS from it, (or if the library has no tls/ssl client as it looks like to be - can't find TLS in sources) - you are not vulnerable to heartbleed.

If yes,what can we do to prevent it?

Update your system's OpenSSL library; Check the servers and clients which are connecting to you for heartbleed vulnerability.

osgx
  • 90,338
  • 53
  • 357
  • 513
  • Thanks for your reply.We have downloaded cryptoJS.js from the mentioned resource and it is included in our application package and site. Site is hosted on our server.Do we need to check for any other vulnerability? – user1533947 Apr 14 '14 at 12:10
  • user1533947, you should check the OpenSSL library installed on your server (and update it to the most recent version from this week). If you are using "`https://`" protocol, your web-server daemon (apache, nginx, etc) may be vulnerable to heartbleed. – osgx Apr 14 '14 at 12:25