- Budgeting, Planning & Forecasting
- Enterprise Accounting Software
- Financial Management Solutions
- Small and Medium Sized Business Accounting Software
- Treasury, Cash and Risk Management
- Business Activity Monitoring (BAM)
- Business Intelligence Software
- Business Process Management (BPM)
- Enterprise Performance Management
- Reporting and End-User Query Tools
- RFID-- Radio Frequency Identification
- Warehouse Management Software
- Customer Experience Management (CEM)
- Customer Information Management
- Sales and Marketing Software
- Enterprise Asset Management (EAM)
- Facilities Management and Maintenance
- Electronic Medical Billing Systems
- Healthcare Inventory Management
- Employee Benefits Administration
- Employee Relationship Management (ERM)
- Human Resources and Payroll Software
- Learning Management Systems (LMS)
- Workforce Planning and Management
- Enterprise Content Management
- Information Lifecycle Management
- Advanced Planning and Scheduling
- Integrated Manufacturing Solutions
- Manufacturing Enterprise Resource Planning (MERP)
- Product Life Cycle Management (PLM)
- Project Management Solutions
- Resource Planning and Scheduling
- Web, Video and Audio Conferencing
- Data Center Power Management
- Software-Defined Data Center (SDDC)
- Cloud Computing Applications
- Database Planning and Implementation
- Enterprise Application Integration
- Enterprise Application Integration Middleware
- Service Oriented Architecture (SOA)
- Business Service Management (BSM)
- Business Technology Optimization
- Enterprise Architecture Management (EAM)
- Enterprise Resource Management
- Enterprise Resource Planning (ERP)
- Information Technology Infrastructure Library (ITIL)
- IT Service Management (ITSM)
- Project Portfolio Management (PPM)
- Technology Planning and Analysis
- BYOD (Bring Your Own Device)
- Managed Service Provider (MSP)
- Network Configuration Management Software
- Fraud Detection & Prevention
- Intrusion Detection and Prevention
- IT Security Frameworks and Standards
- Threat and Vulnerability Management
- Virtual Private Network Security
- Data Center & Storage Solutions
- Network Attached Storage (NAS)
- Remote and Offsite Data Storage
- SAN Virtualization and Consolidation
- Application Lifecycle Management (ALM)
- Application Performance Management (APM)
- Enterprise Systems Management
- Software as a Service (SaaS)
- Software Configuration Management (SCM)
- Natural Language Processing (NLP)
- Electronic Catalog Management
- Electronic Commerce Interchange (EDI-XML)
Posted by Jeremy Kirk
Computer security experts are advising administrators to patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications.
The flaw, nicknamed "Heartbleed," is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol.
The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday.
The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8, according to a special website set up by researchers who found the problem.
If exploited, the flaw could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they've collected.
"This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users," the researchers wrote.
The bug was discovered by three researchers from Codenomicon, a computer security company, and Neel Mehta, who works on security for Google.
The scope of the problem is vast, as many modern operating systems are suspected as having an affected OpenSSL version.
Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2, they wrote.
The "oldstable" versions of Debian Squeeze and Suse Linux Enterprise Server are not vulnerable.
OpenSSL also underpins two of the most widely used Web servers, Apache and nginx. The code library is also used to protect email servers, chat servers, virtual private networks and other networking appliances, they wrote.
The problem, CVE-2014-0160, is a missing bounds check in the handling of the TLS heartbeat extension, which can then be used to view 64K of memory on a connected server, according to another advisory.
It allows attackers to obtain the private keys used to encrypt traffic. With those keys, it is also possible for attackers to decrypt traffic they've collected in the past.
The attackers can only access 64K of memory during one iteration of the attack, but the attackers can "keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed," according to the website.
It's unclear if attackers have been exploiting the flaw over the last two years, which was just publicly revealed on Monday. But attacks using the flaw "leaves no traces of anything abnormal happening to the logs," the researchers wrote.
Administrators are advised to apply the up-to-date version of SSL, revoke any compromised keys and reissue new keys.
Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk
Martin Veitch's inside track on today’s tech trends
Keri Allan looks at the latest trends and technologies
Trevor Clawson on the outlook for UK Tech startups
Do you think your smartphone is making you a workaholic?
Do you think your smartphone is making you a workaholic?
Yes
No
I'm working on keeping a work-life balance