Blog Post

Heartbleed Bug and Couchbase Server

Don Pinto of Couchbase Published

Security should be at the heart of any enterprise product and we take security of our products seriously. Recently, a serious vulnerability (a.k.a Heartbleed) was discovered in the OpenSSL library and because Couchbase Server has some cryptographic components, we wanted you to be aware of the risk posed by the vulnerability and why Couchbase is NOT affected.  

What is this bug all about?

The heartbleed bug is within the heartbeat extension of OpenSSL (RFC6520).

Vunerability assessment for Couchbase Server

Couchbase’s cluster manager is written in Erlang. In the cluster manager, OpenSSL is not used for the TLS/SSL handshake logic. Instead, the TLS/SSL logic is implemented in Erlang (Source).

Because Couchbase Server does not utilize the functionality of OpenSSL that is vulnerable, it is NOT affected by this bug. No versions of Couchbase (up to and including the most recent  2.5.1 release) are affected.

Securing the stack

Although Couchbase is protected from the heartbleed bug, you might also want to think about other services running as part of your app stack -

Typically, OpenSSL implementations are present on third-party proxy servers like Apache, nginx, and HAProxy. If your Couchbase Server is behind such a server that uses OpenSSL 1.0.1 - 1.0.1f, you should patch up your proxy servers and restart these services. You might also consider refreshing the SSL certificates of your frontend servers.

If you are running Couchbase on Amazon EC2, you might want to check out the latest Amazon security bulletin here.

Need more information about the heartbleed bug?

  1. Original security advisory from OpenSSL- https://www.openssl.org/news/secadv_20140407.txt

  2. Some questions asked by users in the Erlang community -
    http://erlang.org/pipermail/erlang-questions/2014-April/078538.html
    http://erlang.org/pipermail/erlang-questions/2014-April/078537.html

Thank you for your continued support, and stay safe!