4/11/2014 10:02:16 AM
Over the last few days a vulnerability CVE-2014-0160, also known as Heartbleed, was published concerning the widely popular OpenSSL library. After careful investigation, we have determined that no Thycotic software was affected by this vulnerability.
Our products themselves (Secret Server, Password Reset Server, Group Management Server, and Secret Server Online) use Microsoft's Internet Information Services and the .NET Framework for SSL and application development. These platforms use Microsoft's SChannel for SSL communication, not OpenSSL.
Secret Server itself does utilize OpenSSL for its web password changer functionality, however the version of OpenSSL that was used, 0.9.8y, is not affected by Heartbleed.
We encourage customers to actively review their infrastructure for this vulnerability. While our products are not directly affected, it is possible that other supporting infrastructure may be at risk, such as a loadbalancer that supports SSL.
Thycotic Security Architect