Storix Security Alert for CVE-2014-0160

Description
This Security Alert addresses security issues CVE-2014-0160 (US-CERT VU#720951) affecting software that uses OpenSSL libraries. See http://www.heartbleed.com, or http://www.us-cert.gov/ncas/current-activity/2014/04/08/OpenSSL-Heartbleed-Vulnerability for more details.

Impact
The Storix System Backup Administrator (SBAdmin) software is effected because OpenSSL libraries are statically compiled into the lightweight web server (lighttpd) used for the SBAdmin Web Interface (sthttpd daemon). The level of risk posed by this vulnerability depends on the level of access there is to the Web Interface. For example, if you are using the Web Interface behind a firewall within your local area network, then you may be less at risk then if the Web Server is accessible from the public Internet.

Solution
Storix strongly recommends that customers with the SBAdmin Web Interface configured to update their SBAdmin software to the latest release as soon as possible. If you are unable to update at this time, Storix recommends that you discontinue use of the Web Interface and alternately use the Graphical User Interface or Command Line Interface.

To un-configure the Web Interface, use the following command on the Admin System:

# stconfigweb –U

Supported Products Affected
The security vulnerabilities addressed by this Security Alert affect all Linux, PowerLinux, and AIX products with the SBAdmin Web Interface configured. This does NOT effect SBAdmin on Solaris SPARC or Solaris i386.