Does the "Heartbleed" vulnerability found in OpenSSL affect Notable Solutions products?
Recently a vulnerability in OpenSSL, a software library used by many server-based applications as well as consumer websites for encrypted communication, was reported. Upon notice of this issue with OpenSSL, Notable Solutions immediately reviewed all products in our portfolio which support SSL to determine if any were affected. The balance of this article details what we discovered in our analysis and what actions have been taken to remedy this matter.
Four components of AutoStore 6 were affected by this venerability:
- Ricoh ESA capture component
- Quick Capture Pro
- Bates Stamp Server
A patch which corrects this issue is included in the AutoStore Framework v10 and can be immediately downloaded via AutoStore's Software Updates service. A Bates Stamp Server update has also been released to address this issue. The AutoStore Framework v10 update must be applied to the machine which hosts the AutoStore Server. The Bates Stamp Server update must be applied to the machine which hosts Bates Stamp Server which may be different from the machine where AutoStore is installed.
On a practical level, it is important to note most AutoStore customers are not really vulnerable to this issue as our software typically only runs on private networks. Said another way, the intrusion would have to take place from within a customer's network for this venerability to be exploited.
Additional frequently asked questions
Q: Why does this only affect a subset of AutoStore 6?
A: It's important to know that AutoStore 5 and older customers are not affected by this issue. While older versions of AutoStore do use OpenSSL, they use an older version of the software which did not have this venerability.
Q: But NSi Mobile can optionally run across public networks. Can it be exposed?
A: No. the NSi Mobile client and server are not exposed to this issue as the NSi Mobile server does not rely upon OpenSSL for Secure Socket Layer encryption.
Q: My company uses NSi Output Manager. Do I have anything to be concerned about?
A: No. No part of NSi Output Manager relies upon OpenSSL for Secure Socket Layer encryption.
Q: If my company uses both AutoCapture and the Ricoh capture component, do I need to install multiple patches?
A: No. For customers using AutoStore 6 with either of these components, a single update (available in the AutoStore Framework v10, downloadable through AutoStore Software Updates) patches these products.
Q: We use Quick Capture Pro at many remote locations. Do I need to update each instance of Quick Capture Pro?
A: No. The OpenSSL venerability is limited to the server side of the communication. As such, the only update required is the installation of AutoStore Framework v10, downloadable through AutoStore Software Updates.