Heartbleed Bug Information for Altova Customers



 
Even though some Altova products before 2014r2sp1 contained vulnerable versions of the OpenSSL library, no Altova software was actually affected by the Heartbleed bug.

More Information

 

For more information and further discussion on the Heartbleed bug, please see http://heartbleed.com/ and http://en.wikipedia.org/wiki/Heartbleed.

Altova MissionKit Developer Tools, including Altova XMLSpy

 

Only some versions (2013 and 2014) of the Altova MissionKit products contain the OpenSSL library in the first place, and it is only used for cryptographic computations – not for actual SSL communication. Therefore the Heartbleed bug is irrelevant in this context, as these functions are not being used. All Altova MissionKit products instead use the built-in Windows API functions for https communications with any servers, and those are not based on OpenSSL.

Altova Server Software Products

 

Even though some Altova Server Software Products (e.g., Altova RaptorXML Server and Altova FlowForce Server) include an HTTP interface, they are not affected by the Heartbleed bug, because this bug only affects client-server configurations that use the heartbeat extension. This is the definition of the heartbeat extension from the RFC:

"The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS."

This heartbeat extension is not supported in Altova Server Software products, and thus the Heartbleed bug does not affect our products.