MobileIron and Good confirm invulnerability to "Heartbleed" OpenSSL attack (updated with more providers)

Your rating: None (3 votes)

We've been following the recent disclosure of a massive OpenSSL bug and its affect on MDM. This is a potentially major issue for device management. Due to the trust chain of Apple's APNS, an exposed MDM server may require all devices to be unenrolled and reenrolled by hand.

We've heard good news so far (excuse the pun) from two three four providers:

Good Technology says:

Good Technology has confirmed that the versions of OpenSSL used by all Good servers and applications are not subject to the Heartbleed vulnerability.

MobileIron says (courtesy of EnterpriseiOS user MaciekSA):

  • All released versions of VSP, Sentry, Connector, Atlas, Connected Cloud and cloud-hosted BYOD portal are NOT affected by the vulnerability and NO action is required by our customers.
  • The on-premise BYOD Portal MAY by affected by the vulnerability, depending on the version of OpenSSL that is packaged with your version of Linux currently installed on your BYOD Portal server.

Update 4/10 5:50p: Maas360 is also fine.

Update 4/10 10:43p: AirWatch is also unaffected. See this VMWare KB article.

Update 4/11 4:02a: TARMAC is also unaffected. See this notice in German.

Update 4/14 2:25p: SOTI is also unaffected. See this notice.

I've reached out to other vendors but have not yet heard a response. If you have any news please share below, and I will update the thread.

It is worth repeating that the vulnerability is not the fault of the MDM vendor and not the fault of Apple. It's in a library of cryptographic functions that is very commonly used within other applications.

Share your ideas

Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

Good's Statement

Your rating: None

See this for Good's public statement:
https://community.good.com/blogs/product_blog/2014/04/09/heartbleed-open...

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
ChrisTx's picture

ChrisTx

Joined: Nov 5, 2013

MaaS360 by Fiberlink

Your rating: None

See link for MaaS360 by Fiberlink's public statement:

http://www.maas360.com/maasters/blog/newsonthemove/heartbleed-stemmed-fo...

Top
ChrisTx's picture

ChrisTx

Joined: Nov 5, 2013

iOS and Heartbleed

Your rating: None

Apple made a statement that iOS and "Key Web Services" were not affected by Heartbleed:
http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not...

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

Updated

Your rating: None

I've updated the list based on new info. Thanks for keeping this current.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
adrianthomas's picture

adrianthomas

Joined: Oct 4, 2011
WWW

TARMAC not affected

Your rating: None

Our product, TOWER ONE TARMAC, is not affected by the issue.
There's more information on our German blog:
http://tower-one.net/de/news/262-sicherheit-von-tarmac-nicht-durch-opens...

Top
thomrburg's picture

thomrburg

Joined: Jun 8, 2012
WWW

Citrix XenMobile is vulnerable

Your rating: None

From http://support.citrix.com/article/CTX140605:

Citrix XenMobile App Controller: XenMobile App Controller versions 2.9 and 2.10 are vulnerable to CVE-2014-0160. Details regarding the availability of patches for these versions will be added to this document as soon as they are available. In deployments where the App Controller is deployed behind a NetScaler, or other gateway device that terminates the TLS connection, the level of exposure is reduced.

--
Thomas Burgess
@thomrburg | www.thomrburg.tk

Top
fcsmactech's picture

fcsmactech

Joined: Mar 2, 2013
WWW

JAMF Software products and services

Your rating: None

Statement released by JAMF Software:
https://jamfnation.jamfsoftware.com/discussion.html?id=10317

Top

Recent Activity