XNAT, Heartbleed, and you

Most of you have probably heard about the Heartbleed exploit of the OpenSSL library. I won't go into detail, but this exploit risks exposing sensitive security data. You can find more information at the  Heartbleed information site.

The Heartbleed exploit does not affect XNAT directly! XNAT does not use OpenSSL internally or in the application at all.

This is not to say that it may not affect your XNAT installation. You are at some risk if you use one of the exploitable versions of OpenSSL to provide an HTTPS connection at your Tomcat or HTTP proxy (e.g. Apache HTTPD, nginx). It would be possible for an intruder to open the encrypted connection between a user's browser and the server. Once that is available, the intruder could set the user's login credentials in the HTTP transaction as the user logs in. They would also be able to monitor the contents of that traffic, potentially exposing PHI or other identifying information from the XNAT installation.

If you're not running one of the vulnerable versions of OpenSSL, you are fine! You can find a full list of vulnerable versions on the Heartbleed site, but basically it's versions 1.0.1 through 1.0.1f. If you have any other versions (e.g. most OSX installations have some version of 0.9.8), you're OK.

If you're still concerned, you can test your system in a couple ways:

  • If your system is accessible from the Internet, try the Heartbleed test site: http://filippo.io/Heartbleed.
  • Check what version of OpenSSL you're running. It's usually sufficient just to type openssl version at the command prompt. 

There are a couple things you can do to mitigate risk after the fact:

  • Make sure that the version of OpenSSL on your servers is upgraded to the newest version of OpenSSL with the fix to prevent the Heartbleed exploit.
  • Force users to change their passwords! There's a new feature in XNAT 1.6.3 that was designed for just this sort of situation. You can find more information in the User Password Security documentation.