MidPoint Not Affected By OpenSSL Vulnerabilities

There is yet another far-reaching vulnerability that shook the IT world. This time, the affected component is OpenSSL. As midPoint does not use OpenSSL, it is not affected by the vulnerability directly. However, there may be some cases when action might be required.

MidPoint is based on Spring Framework and uses Java provided cryptographic libraries, which does not use OpenSSL, but rather have its own implementations, and thus they are not affected.

Additional services (eg. SSL proxy, load-balancer) in your deployment may be affected by this vulnerability and you need to consult news / documentation for these particular products.

If you are still using explicit Tomcat deployment model, (deploying midpoint.war file to your Apache Tomcat server), you may be affected if you are using tomcat-native. You should migrate your deployment to a default stand-alone deployment. The explicit Tomcat deployment was deprecated years ago, we have been recommending the stand-alone model all the time. If you are still deploying to Tomcat, there is nothing to wait for. Go stand-alone. Users running official Docker images are safe, as those are based on the default stand-alone deployment.

Related CVEs:

Leave a Reply

Your email address will not be published.