Important Security Update from Scala regarding “Heartbleed”

Important Security Update from Scala regarding “Heartbleed”

Posted by admin in News

Toronto, ON, April 12, 2014 – At Scala, we take our partners’ and our customers’ security seriously. As you may know, this week a significant Internet security flaw, CVE-2014-0160, nicknamed “Heartbleed” was discovered in a widely used piece of software known as OpenSSL. We’d like to share with you the status of Scala’s products and services, and what steps if any you should consider taking.

Our Content Manager web application can be deployed to support HTTPS. Content Manager uses the Java implementation of the SSL technology to encrypt your connections, and this implementation does not include any vulnerable versions of OpenSSL. This is true for all versions of Content Manager from the beginning of this product to the current Release 10.2.2.

That said, there are a couple of cases where you should look further at other aspects of the overall Content Manager network configuration:

1. If you use a network security appliance or front-end server to handle SSL encryption, then you should check with the corresponding vendor or check the configuration to see if this device is affected, and update it if necessary.

2. Content Manager uses the Tomcat web server (http://tomcat.apache.org). Tomcat supports a helper library called the “Apache Portable Runtime” or the “Tomcat Native” library. This library boosts Tomcat’s performance by handling certain tasks including SSL more efficiently. Versions 1.1.24 through 1.1.29 of this library use a version of OpenSSL that is vulnerable to Heartbleed. Scala’s installers don’t deploy this library; if you or a third-party added this to your Content Manager server, we recommend you remove it until a patched version becomes available.

We’ve verified the Content Manager services we host for our customers, and the security infrastructure around them, and they do not contain the vulnerable versions of OpenSSL and are thus not affected by the Heartbleed problem.

The Scala Android Player does include a version of OpenSSL that contains the vulnerable code. The Android Player is set up as a network client. The only way we are aware of to attack a network client containing a vulnerable version of OpenSSL is by compromising the server or access to the server, therefore we recommend verifying the security of the server and access to it.

The Scala Player for Windows / Windows Embedded, and Scala Designer, do not contain the vulnerable versions of OpenSSL, and are thus not affected by the Heartbleed problem.

Our customer-facing and partner-facing Scala web sites are not affected, with one exception:

The scala.com/scp partner portal was using the vulnerable version of OpenSSL, and has now been updated to mitigate the vulnerability.
We will have an additional information update regarding SignChannel, early next week.

The nature of the Heartbleed problem means we have no way of knowing if that formerly-vulnerable server was probed by malicious actors. We have no information that any data was compromised. Nonetheless, we recommend that our partners change the passwords they use for the scala.com/scp service.

If you have any questions, please don’t hesitate to contact your Scala Partner representative. We will get back to you as soon as possible. I am grateful to many members of the Scala technical staff who assisted in the analysis and response.

About Dot2Dot Communications

Dot2Dot provides one-stop, “concept-to-connection” solutions for all digital signage and ad-based communications. Based in Toronto, Canada, the Dot2Dot team delivers a unique combination of over 30 years’ hands-on experience, industry-leading proprietary ad management software, and sole Canadian distributorship for the world’s leading digital signage software company, Scala Inc. Our award-winning fully integrated solutions are backed by best-in-class partners to provide a full range of services from installation and network hosting to content strategy, creative design, scheduling, and audience measurement. Dot2Dot Communications is independently owned.

12 Apr 2014 no comments

Sorry, the comment form is closed at this time.