Pivotal tc server (or Tomcat) itself in not affected by CVE-2014-0160 (Heartbleed bug) since it is not distributed with the OpenSSL libraries.
However, the INSTANCE of Pivotal tc server / Tomcat has the potential of being affected depending on how it was configured. The configuration questions below will help determine your vulnerability. If response to all three (3) questions are true, then the instance is vulnerable.
1. Is the CONNECTOR on server.xml configured with
protocol = org.apache.coyote.http11.Http11AprProtocol (APR/native)?
BIO and NIO connectors are NOT affected since they are using Java Secure Socket Extension (JSSE). If the protocol attribute is set to “org.apache.coyote.http11.Http11Protocol” (blocking java connector) or “org.apache.coyote.http11.Http11NioProtocol” (non-blocking Java connector) then you are using BIO or NIO respectively.
APR/Native Connector is potentially affected because if uses OpenSSL for SSL Support. This can be verified if the protocol attribute is set to “org.apache.coyote.http11.Http11AprProtocol”.
2. Is the CONNECTOR on the server.xml configured with SSLEnabled = true?
SSL support for a particular instance is enabled for this Connector by setting the SSLEnabled attribute to "true".
3. Is the version of OpenSSL that you are using at 1.0.1f or earlier?
CVE-2014-0160 affects OpenSSL 1.0.1 through 1.0.1f inclusive.
The following versions are not affected and not vulnerable:
- OpenSSL 1.0.1g
- OpenSSL 1.0.0 branch
- OpenSSL 0.9.8 branch
To verify OpenSSL version, execute the command:
$ openssl version
If you answer ‘YES’ to all three (3) questions above, then your INSTANCE of tc server is vulnerable. We recommend for you to take the following steps to resolve:
1. Upgrade your OpenSSL to version OpenSSL 1.0.1g.
Since this would have come from an external source or compiled, please refer to their specific upgrade/compile instructions.
2. If you built the tc native wrapper libs with SSL option using static linking to the libs, then you will need to relink the wrapper to the 1.0.1g version of OpenSSL.
To determine whether or not shared dynamic SSL libraries are in use, execute the command:
$ ldd libtcnative.so
If absent, the static linkage was used.
3. Restart the tc server / tomcat instance.
- Pivotal tc server / tomcat INSTANCES using APR/native connectors with SSLEnabled=true and OpenSSL 1.0.1f or earlier (except for 0.9.x).
Many users terminate SSL on a load balancer (i.e. F5) or a web server. If you are using a Pivotal web server please refer to the following advisory.