Start a new topic

OpenSSL - Heartbleed

juppy @ Tue Apr 08 03:30:45 EEST 2014
Is OpenSSL used by CrushFTP?
Is my server 6.4.0 vulnerable to the heartbleed bug?


spinkb @ Tue Apr 08 13:37:17 EEST 2014
I'm not certain how the OpenSSL vulnerability plays in with Java. Search for the same vulnerability in relation to Java...

OpenSSL isn't used directly, but Java internally may still be linking with those libraries...only Oracle would know that answer for certain.

CrushFTP uses the Java SSL libraries that a re built into it.

Fuzz @ Tue Apr 08 15:43:15 EEST 2014
I tested my CrushFTP install here:

and it says that it is vulnerable.
juppy @ Wed Apr 09 01:58:23 EEST 2014
Tested mine too and it gave me a heartbeat timeout, which I can only guess is fine (like building without heartbeat).
Anyways I also updated the underlying Linux/OpenSSL installation.
Systems @ Wed Apr 09 03:15:23 EEST 2014
I tested mine before updating OpenSSL (I was a release behind) and got the return command "EOF".

I tested after updating OpenSSL to the latest version available to me on Ubuntu (Mon Apr 7 20:33:29 UTC 2014) and it still returns "EOF" in the tester.
spinkb @ Wed Apr 09 06:07:56 EEST 2014
CrushFTP is not vulnerable.

Only native libraries, not a java based app. Just like 99% of all the other vulnerabilities that exist, this doesn't affect CrushFTP. This exploit needs an app using a native reference to the OpenSSL implementation, and Java doesn't do that unless your write your own native code to do that (and we didn't).

So you are *not* vulnerable unless your using Apache as the front end with CrushFTP running behind as a reverse proxy, or using a load balancer in front, etc. But CrushFTP is safe.

Fuzz @ Wed Apr 09 09:31:18 EEST 2014
It took several tries to get it to work again(had lots of timeouts), but I did get another vulnerable response. I am running straight crushFTP server, not through apache or anything else.

Login to post a comment