OpenSSL is said to be powering two thirds of the secure communication on the Internet. The Heartbleed bug is a very serious vulnerability in this popular software library. According to heartbleed.com, it “allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users”. Our ODBC Client/Server components in the SimbaEngine SDK use OpenSSL since version 8.0.0 released in Nov 2009. Over the last few days, many SimbaEngine SDK customers have reached out to us. They were anxious to know whether their solutions based on SimbaEngine SDK are vulnerable. The short answer is: No, you are safe.
This bug does not affect all versions of OpenSSL. According to heartbleed.com, here are the status of different versions of OpenSSL:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
SimbaEngine SDK 8.0.x are on the OpenSSL 0.9.8 branch. So they are not vulnerable to this bug. SimbaEngine SDK from version 8.1 to the latest 9.2 are on the OpenSSL 1.0.0 branch. So they are not affected either. I must say that we are very lucky. I hope you are as lucky as we are.