- About XNAT
- News & Events
- XNAT Marketplace
- Contact Us
Most of you have probably heard about the Heartbleed exploit of the OpenSSL library. I won't go into detail, but this exploit risks exposing sensitive security data. You can find more information at the Heartbleed information site.
The Heartbleed exploit does not affect XNAT directly! XNAT does not use OpenSSL internally or in the application at all.
This is not to say that it may not affect your XNAT installation. You are at some risk if you use one of the exploitable versions of OpenSSL to provide an HTTPS connection at your Tomcat or HTTP proxy (e.g. Apache HTTPD, nginx). It would be possible for an intruder to open the encrypted connection between a user's browser and the server. Once that is available, the intruder could set the user's login credentials in the HTTP transaction as the user logs in. They would also be able to monitor the contents of that traffic, potentially exposing PHI or other identifying information from the XNAT installation.
If you're not running one of the vulnerable versions of OpenSSL, you are fine! You can find a full list of vulnerable versions on the Heartbleed site, but basically it's versions 1.0.1 through 1.0.1f. If you have any other versions (e.g. most OSX installations have some version of 0.9.8), you're OK.
If you're still concerned, you can test your system in a couple ways:
openssl versionat the command prompt.
There are a couple things you can do to mitigate risk after the fact: