Is Datameer affected by "Heartbleed", a Serious OpenSSL Vulnerability?

Question

The internet community has a lot of information about a serious OpenSSL vulnerability called "Heartbleed". Is Datameer affected?

Answer

No, if you run Datameer standalone and SSL connections are configured only via the provided Jetty XML configuration files.

But, it could be affected if a customer runs additionally a web server in front of Datameer that handles SSL connections for its own. Another way could be that the customer changed the SSLSocketFactory of the JVM by one that actually uses OpenSSL via JNI, but I expect that none of our customer would do that without talking to us about it.

Solution

There are scripts and tools around to test if a specific setup of a customer is affected or not. Its a good idea to use these to be on the save side. (Check https://filippo.io/Heartbleed/ for example.)