Questionmark and Heartbleed
Posted by John Kleeman
You may have heard of “Heartbleed,” a bug in a program used by many sites on the Internet that could allow the theft of data normally protected by SSL/TLS encryption. This bug was disclosed to the public on April 7th – and here is Questionmark’s response to the bug.
Our internal Computer Emergency Response Team (CERT) immediately reviewed our servers and systems to identify any potential vulnerabilities. Fortunately, most Questionmark systems do not use OpenSSL (the encryption system that was subject to this vulnerability). The one affected system identified by our CERT team was promptly updated to address the issue and our customers were informed.
Here is some additional information for our customers and other users of Questionmark systems:
Questionmark’s cloud-based products and services:
- Our collaborative authoring system, Questionmark Live was not vulnerable to the bug.
Questionmark’s US OnDemand Service
- Questionmark’s US OnDemand Service was not vulnerable to the bug.
Questionmark’s European OnDemand Service
- One component of our European OnDemand Service was identified is subject to this vulnerability: the “load balancer” that provides the entry point to the European OnDemand Service. This system was promptly patched last week, its SSL certificate replaced and the previous certificate revoked; it is no longer vulnerable.
None of the other systems that comprise the European Questionmark OnDemand service were affected: the application and database servers, where customer data is stored, were never subject to this vulnerability. We have no indication that any customer data or passwords were compromised. However, out of caution and in recognition of the theoretical risk, we are advising our customers to log into the system and change passwords and keys. We have reached out by email to all customers affected and will be following up by telephone.
Questionmark products for on-premises deployment:
- Our behind the firewall product, Questionmark Perception does not include OpenSSL and so is not itself vulnerable to the bug. But Questionmark Perception can be installed under SSL/TLS. If it is and the offending program (OpenSSL) is used, then an organization might be vulnerable due to its use of OpenSSL outside Questionmark software. If you use Questionmark Perception under SSL/TLS (you can tell this because the URL will include https rather than http), you should check with your organization’s IT team.
If any Questionmark user or customer has questions, please raise them with your Questionmark account manager or with technical support. I hope that this rapid response and full transparency highlights our commitment to security.This also illustrates the value of an OnDemand service. Rather than having to rely on internal IT to catch up and patch vulnerable systems, you can delegate this to Questionmark as your service provider.
Questionmark takes security seriously. Our OnDemand customers benefit not only from our 24/7 monitoring of systems and platform uptime – but also from a team of experts ready to address potential security threats as they arise – and before they arise.
Watch this video for more about Questionmark’s commitment to security.