Globalscape® is well aware of the recently announced OpenSSL vulnerability nicknamed “Heartbleed.”
Given the severity of this vulnerability, and the high levels of anxiety caused by the breadth of coverage on this issue, Globalscape has communicated to all customers that the Enhanced File Transfer (EFT) platform is safe, and that workarounds are available to protect Mail Express™.
Globalscape software engineering experts have verified that no version of EFT is vulnerable to the Heartbleed exploit. All versions of EFT Enterprise and EFT Standard (including deployments using DMZ Gateway) are safe from this exploit, because the version of the OpenSSL library that the EFT product uses does not include the TLS Heartbeat functionality, and therefore is not vulnerable to this attack.
Mail Express v3.3 and later uses two secure communication implementations, OpenSSL and JSSE, depending on the communication path being used. The OpenSSL implementation in Mail Express uses v1.0.1c, which has been identified as a vulnerable version. Work is in progress for updating the OpenSSL library to eliminate this vulnerability. Until a patch is released, Globalscape recommends that one of the workarounds described in the Knowledgebase article at http://go.globalscape.com/e/21292/KnowledgebaseArticle11166-aspx/7rgxw/82299458 be used to remediate the issue.
If you use Globalscape DMZ Gateway® in conjunction with Mail Express, Mail Express will not be affected. Mail Express uses a different SSL library for its communication with DMZ Gateway and therefore is not susceptible to this vulnerability.
For more information, refer to the following resources, or contact Globalscape Customer Support at 1-210-366-3993.