Is FileMaker Server affected by the heartbleed bug? or WebDirect if we're using SSL on public facing site?
Anyone at FileMaker going to comment on this question?
I am not employed at FileMaker Inc.
However, it is only FMS13v1 that is using OpenSSL, which is in question here. No previous versions.
But, though it is using this, the way it is implemented result in very little chance that it could be hacked.
You can try out this tool to test your installation, though it is not 100%
Hmmm. None of my Apple servers (not just the FMS servers) were reported as vulnerable? We run a host of of server types as well.
I emailed out local SA who replied
FileMaker engineering is aware of this issue, we are actively researching to determine next steps.
So it looks like they're on top of things :-)
@Claus - not so - previous versions of FM have used OpenSSL, including for communication between FM client and FM Server
@Ron - the best way to be sure is to check the version of OpenSSL installed on your server. "openssl version" from the command prompt and ensure that it's not 1.0.1 through 1.0.1f inclusive (FWIW my MacBook with 10.9.2 reports OpenSSL 0.9.8y 5 Feb 2013)
FileMaker engineering is aware of this issue, we are actively researching to determine next steps. So it looks like they're on top of things :-)
Sure, they are
Got that info from Terry....
So it looks like they're on top of things :-)Sure, they are
You're not convinced huh...?
@Claus - not so - previous versions of FM have used OpenSSL, including for communication between FM client and FM ServerGot that info from Terry....
Interesting - if you search the FM support forums for OpenSSL (I went there first when clients started asking questions) you turn up a range of questions relating to versions in the 7 - 9 range, but then don't see anything again till the v13 release notes.
steveWinter wrote: So it looks like they're on top of things :-)Sure, they are You're not convinced huh...?
Yes I am... sorry, I can now see that my reply could be misunderstood.
I know they are on top of things and I rest in peace as I am certain that those very skilled engineers in the server dept. will sort this out.
And with the couple of tests I made, I am not worried about FMS.
..I am more worried about other sites and services.... read that an estimated 66% of all SSL encrypted sites/services had this vulnerability.... and it has possibly been around for 2 years....
A couple of good summaries of what heartbleed is and how it works (sampling random system memory) is at:
I get the feeling that the OpenSSL version is what is installed on the operating system and not FileMaker and FileMaker (and other apps) just call the library for functions it needs. In terminal on my old Mac Pro 10.8.5, I ran "openssl version" and got back "OpenSSL 0.9.8y 5 Feb 2013", which is not in the 1.0.1 to 1.0.1f range of vulnerable versions (fix is in 1.0.1g). On my MacBook Air with Mavericks (10.9.2) on it, I got the same result.
According to PC World article:
According to this TUAW article, the Mac OS X ecosystem has not made use of the vulnerable versions, so you are safe with Mac OS X:
OK, I looked up the Mac stuff.... but would like to hear from a Windows person so I know what to tell my Windows clients.
Rememer the vulnerability is on the server and if you're just a client connecting to a server, you can't do anything to fix this at your end.
If you would like to test a server you want to connect to before connecting, go to this web page and put in the server's IP or URL address to see if it is vulnerable:
If you already have credentials on that server, wait until they update the server before resetting your passwords.
Apparently default verions of Windows Servers (2003, 2008, 2012) do not use OpenSSL, they use SChannel implementation instead and therefore are not vulnerable to Heartbleed.
More info at: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
Taylor that's true of IIS, and therefore true of WebDirect or IWP hosted on a Windows server.
FileMaker Server itself however installs OpenSSL (as a .dll) on a Windows FileMaker server for use in the encryption of data between (at least) FileMaker Client and FileMaker server. (see http://help.filemaker.com/app/answers/detail/a_id/11954/).
Clearly this is much harder for any would-be hacker to exploit, however if the version in use is 'at risk', then it remains theoretically possible (in my view).
It sure would be nice if FileMaker would simply confirm if it is using OpenSSL libraries and what version. So far I can't seem to find anything here or in FileMaker's Knowledge Base that says what they are using. The following reference is from the knowledge base and all it does is confirm they use OpenSSL, not what version:
A little more transparency by FileMaker Inc. sure would be nice.
FMI is aware of this issue.
Stay tuned for updates in the near future....
I agree Claus... and you seem to be closer to an inside track than anyone else in this thread. So thanks for your input.
But my point is that such things as what version of the OpenSSL they are using should be a part of the technical specifications and available for us to just look up. This should be a real easy answer and their delay in response worries me some. I do think that FileMaker could be more transparent about what standards they are using to build the software. It would help build better trust and confidence, or alert us if there are vulnerabilities. Silence on such issues forces some organizations, particularly governmental and financial institutions, to just shut things down until they know for sure if there is a vulnerability or not because they can't take a chance. If anyone else has been through a security audit, you know how frustrating that can be.
Anyway, Claus, let us know if you hear anything else from the mothership! Thanks.
Apparently default verions of Windows Servers (2003, 2008, 2012) donot use OpenSSL, they use SChannel implementation instead andtherefore are not vulnerable to Heartbleed. More info at:http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
Apparently default verions of Windows Servers (2003, 2008, 2012) do
not use OpenSSL, they use SChannel implementation instead and
therefore are not vulnerable to Heartbleed.
More info at:
OS X and OS X Server default installs are safe too:
No work here to be done =)
I can not speak for FMI on why they have not public announced anything yet.
However, my experience with most american corporations is that they tend to be scared, that they will be sued any second.... which is probably also the case in US. That makes them much more careful on what they can/will/dare to announce public.
You don't see any documentation on which components is part of the FileMaker Platform, and probably never will. The reason is probaly in the fact that it is a properitaire platform, where FMI actually has invented a range of technologies.
You can always argue that they should disclose such info and much more, but.... I think it is understandable that they don't do that.
However, in this case, only FMS13v1 has a vulnerable version of OpenSSL. And, there is no known way to exploit the hack on FMS13, due to the implementation FMI has done.
Shure, we will hear more from FMI in the near future..
@John, while I am not sure on exactly implementation on windows, remember that software (server software) can install their own version of OpenSSL, and you can not be sure that it is using the OS version. Windows OS don't use OpenSSL, but a software server could have installed it and thereby making the server vulnerable. Just remember that it has to be one of 2 specific versions of OpenSSL.
You make some good points about transparency, Taylor. However, the opposite view is it's not necessarily a good idea to advertise when your software has a vulnerability. It's somewhat akin to putting a sign in your front yard that says, "Lock on back door broken."
I'm reminded of the man-in-the-middle vulnerability Apple had a short time ago. They said nothing about it, even though it was in the wild for, what, a year? Probably wise, in retrospect, to avoid shouting an exploitable hole from the rooftops.
Just another perspective to consider.
I dunno, Mike. To me it's more like saying "the lock on the back door is a Widget-X deadbolt system" - if someone knows of a fault with that type of lock and exploits it, word will get around that you have to stop using that lock and put in a different one to avoid the exploit.
Right now, we have a lot of FUD impacting the efficient identification and replacement of a faulty part. This is one of the issues around "security by obscurity" - too much time spent on the identification of whether or not a problem affects something under your control.
The Apple MIM attack is a similar situation; I think it shows a lack of due concern on Apple's part to not alert customers to a potential issue. Culturally, they only say something when they have a complete solution (or as near to one as is realistically possible), which allows them to work the way they want to but denies their customers the same capability.
Regarding the fear of being sued - I'm sure there are some people out there who will take such an action as a matter of course no matter what you do, but the vast majority just want their problems resolved. Demonstrate to your customers that you are working in partnership with them to solve issues and legal action is incredibly unlikely - and the lawsuits that are filed are much more likely to be dismissed or found in your favour.
That would only be true if - and it’s a big “IF” - you can actually do something about the Widget-X deadbolt. Are we in a position to replace the components that have the vulnerability in FMS?
Probably not. All we can do is tell the customer, “Well, we have this vulnerability, and we have to wait for FileMaker to fix it.” Uh … how is that an improvement? You might argue that we know it’s a problem. Okay, great. But we can’t do a thing about it; all we can do is wait for a fix. In the meantime, we advertised the problem to any miscreant who wants to take advantage of it.
That’s why I don’t agree that publishing vulnerabilities - until there’s a fix - is necessarily a best practice.
IanJempson wrote: Is FileMaker Server affected by the heartbleed bug? or WebDirect if we're using SSL on public facing site?http://heartbleed.com Ian
Thanks for your patience.
FileMaker, Inc. has released a software patch for FileMaker Server 13.0v1. This hotfix addresses an issue where the OpenSSL library used by FileMaker Server 13.0v1 was vulnerable to the “Heartbleed” bug. This hotfix includes OpenSSL 1.0.1g, which is not vulnerable to the bug.
You can find out more here...
Thanks, Steve. I updated two EMR database servers this morning without a hitch and they are working no differently.
Maybe no need to panic:
Maybe no need to panic: http://www.theverge.com/2014/4/11/5604300/heartbleed-may-not-leak-private-ssl-keys-after-all
Read to the bottom of the page:
Update April 11, 9:39PM EST: Cloudflare now states that the Heartbleed bug has been successfully used to retrieve SSL keys, despite its earlier claim.
Yes, I noticed Malcolm, I withdraw my previous comments sadly.
I do a lot of support for family & friends (thanks to TeamViewer it usually doesn't take more then a few minutes) but it is astonishing to hear how many get along in life with just one or two passwords for all sites they visit, including banks. If I got a commission for every time I sell 1Password, I would not need that many FMP dev hours to earn a living.
Heartbleed is now widely on the general news & newspapers and hopefully this will be a wakeup call for such users.
Retrieving data ...