15-Apr-2014

Ascert provides response to Heartbleed vulnerability
Ascert has been approached by multiple customers since OpenSSL announced its Security Advisory CVE-2014-0160 on 7th April, regarding the impacton Ascert's products and services.

The result of our preliminary investigation indicates that our products and services have not been impacted. In particular:
  • Our public websites (such as do not use the vulnerable versions of OpenSSL
  • Our VersaTest products that contain SSL capabilities are written in Java which has its own SSL/TLS implementation and so is not vulnerable. It should be noted, however, that the flexible design of VersaTest would allow customers to replace the Ascert-provided Java Security Provider, with one of their own choosing; this is unlikely, but customers should review whether this is the case, and if so, what the consequential exposure would be.

Note that since this exploit affected many services worldwide, and people have a tendency to re-use the same password across multiple sites, customers should in any case strongly consider changing their passwords.

Our investigation is continuing, and if we have any more details we will update this article.

