TIBCO Mashery API Developer Blog

Heartbleed Exploit Security Update

As you are probably aware, OpenSSL released a security advisory yesterday, April 7th, regarding a serious vulnerability nicknamed “Heartbleed”, which impacted a large number of Internet applications and services. The vulnerability allowed an attacker to steal private certificate keys or even gain access to data in memory of a vulnerable SSL server. Mashery, along with its service providers, has addressed this vulnerability and believes it has been resolved.

Prior to resolution, some Mashery customers may have been affected by this vulnerability though there is no log information associated with this exploit that allows Mashery to determine whether any systems were compromised. Customers exposed to the vulnerability included only those on the Mashery Enterprise network utilizing SSL certs to enforce secure communication between their consumers and Mashery SaaS systems. API traffic for Customers on Mashery's Premium Network and API traffic managed via Mashery Local were not exposed to the threat.

Mashery’s Enterprise network utilizes Amazon Web Services, which incorporates Elastic Load Balancers (ELBs) in traffic management. Amazon has issued statements today containing information on the vulnerabilities with ELBs as well as other Amazon offerings along with resolution information. According to their release, all AWS regions utilizing ELBs have been patched. Mashery is continuing to monitor any additional information released by Amazon and additional, related threats.

If you are using Mashery’s Enterprise SaaS edition with SSL transport on API traffic (SSL on the Mashery developer portal is not in scope for this vulnerability), we recommend that you replace your SSL certificate. To begin this process, please open a support ticket with Mashery via self service portal (mashery.com/selfservice) or by emailing support@mashery.com and our support group will walk you through the process.

We at Mashery continue to take security very seriously and are taking all measures possible to address this. Mashery continues to evaluate this vulnerability to determine if any additional systems were at risk during the vulnerability period. Mashery will provide any updates as they are available. Thank you for your patience on this issue. As always, please feel free to reach out to us if you have any additional questions or concerns.