Posted April 25, 2014
The Heartbleed bug (CVE-2014-0160) is a serious security vulnerability in the well-known OpenSSL cryptographic software library. Cleo has confirmed that all their products, including but not limited to Cleo Harmony, Cleo VLTrader, Cleo LexiCom, and Cleo Streem, use alternative implementations of the secure protocols that Cleo customers around the world use. The FAQs below provide additional details.
Do I need to get an update to resolve the Heartbleed bug?
No, there is nothing you need to do with any of your Cleo software to resolve the Heartbleed bug. This is because a wide array of secure protocols available were implemented in the Cleo products using other well-established libraries that are not vulnerable to the Heartbleed bug issue.
Why aren’t you impacted by this vulnerability?
The Cleo software does not use OpenSSL for its TLS/SSL protocol implementation. Cleo uses a product library that is not based on OpenSSL.
Is there anything that I need to be concerned about regarding Heartbleed?
Yes, just because your Cleo software is not affected does not mean that the applications and trading partners that you exchange data with are safe. The Heartbleed vulnerability can potentially expose data, usernames, and passwords that can be used by hackers to gain the credentials and allow them to connect to your system as a legitimate connection. To exploit the vulnerability, a perpetrator would need to attack a non-Cleo system that happens to use certain functions of the OpenSSL library. This means that if any of your partners are exposed, they should immediately install the updated security patch and you should revoke and reissue appropriate security certificates and/or access credentials. Contact your relevant software supplier for more details.
Where can I learn more about the Heartbleed vulnerability?
A website has been set up to educate the public on this vulnerability and can be accessed at http://heartbleed.com.