Thursday, April 10, 2014
EFT™ Unaffected by "Heartbleed" Exploit; Workarounds are Available for Mail Express™
Secure File Transfer
On Tuesday, April 8th, when Globalscape® became aware of the OpenSSL vulnerability nicknamed "Heartbleed," our Support team immediately addressed customers' concerns in the user forum and on the phones. This was quickly followed by a Knowledgebase article describing the problem, and emails directly to customers to assuage their concerns.
Globalscape is extremely conscientious in all matters regarding information assurance and protection of information flowing through our software products. Given the severity of this vulnerability—and the high levels of anxiety caused by the breadth of coverage on this issue—Globalscape would like to communicate to everyone that the Enhanced File Transfer™ (EFT™) platform is safe and always has been. Our software engineering experts have verified that no version of EFT is vulnerable to the Heartbleed exploit. All versions of EFT Enterprise and EFT Standard (including deployments using Globalscape DMZ Gateway® are safe from this exploit, because the version of the OpenSSL library that the EFT product uses does not include the TLS Heartbeat functionality, and therefore is not vulnerable to this attack.
Mail Express™ v3.3 and later, however, may be vulnerable depending on how you've implemented it on your network. Mail Express v3.3 and later use two different secure communication implementations, depending on the communication path being used.
- If you use DMZ Gateway in conjunction with Mail Express, Mail Express will not be affected. Mail Express uses a different library for its communication with DMZ Gateway and therefore is not susceptible to this vulnerability.
- If you do not use DMZ Gateway, Mail Express is using OpenSSL v1.0.1c, which has been identified as a vulnerable version. Work is in progress to update the SSL library to eliminate this vulnerability. Refer to the Knowledgebase article linked above for workarounds to protect Mail Express.
Our Customer Support and Engineering teams are actively assisting Mail Express customers with reconfiguring their systems to protect them from this vulnerability. For more information, refer to the following resources, or contact Globalscape Customer Support at 1-210-366-3993.