PRODUCT NOTICE #4-20-14-1
DATE:
4/20/2014
PRODUCT:
Digi ARM Embedded Software Platforms (Various)
REASON:
OpenSLL “Heartbleed” Vulnerability (CVE-2014-0160) Advisory
PRODUCTS AFFECTED:
Digi Application Development Kit for Android
Windows Embedded Compact 6/7
Digi Embedded Linux Digi Embedded Yocto NET+OS
NOTICE:
This product notice provides general advice to customers regarding the recently discovered “Heartbleed” vulnerability affecting OpenSSL versions 1.0.1 through 1.0.1f only. Other OpenSSL versions are not affected.
The table below summarizes the specific Digi embedded software development platform versions and their known exposure to the “Heartbleed” vulnerability as well as applicable mitigation options. Versions that are not listed below are not considered affected. Platform Status Affected Version Mitigation/Comments NET+OS
Not Affected
N/A
NET+OS implements OpenSSL v0.9.8g/plus #1276: TLS Extensions/RFC 3546 Patch (or earlier). Digi Embedded Linux
Affected
5.9
Hotfix available through Digi Package Manager. Digi Embeded Yocto
Affected
1.4
See Digi Technical Support Knowledgebase Article #3566
http://www.digi.com/support/kbase/kbaseresultdetl?id=3566 Windows Embedded Compact 6/7
Not Affected
N/A
SSL/TLS implementations of Windows Embedded Compact are not based on OpenSSL. Digi ADK for Android
Not Affected
N/A
All Android platform releases with the exception of 4.1.1 (JB) are not affected.
See official Google Online Security post below for reference: http://googleonlinesecurity.blogspot.in/2014/04/google-services-updated-to-address.html
Please refer to the official Digi “Heartbleed” Security Notice posted at http://www.digi.com/lp/security/ for additional information, including resources to test existing devices and their software for possible exposure.
As a security best practices guideline, Digi still strongly advises all customers to test software builds for exposure to the “Heartbleed” vulnerability and take the appropriate mitigation steps as quickly as possible.