Security should be at the heart of any enterprise product and we take security of our products seriously. Recently, a serious vulnerability (a.k.a Heartbleed) was discovered in the OpenSSL library and because Couchbase Server has some cryptographic components, we wanted you to be aware of the risk posed by the vulnerability and why Couchbase is NOT affected.  

What is this bug all about?

The heartbleed bug is within the heartbeat extension of OpenSSL (RFC6520).

Vunerability assessment for Couchbase Server

Couchbase’s cluster manager is written in Erlang. In the cluster manager, OpenSSL is not used for the TLS/SSL handshake logic. Instead, the TLS/SSL logic is implemented in Erlang (Source).

Because Couchbase Server does not utilize the functionality of OpenSSL that is vulnerable, it is NOT affected by this bug. No versions of Couchbase (up to and including the most recent  2.5.1 release) are affected.

Securing the stack

Although Couchbase is protected from the heartbleed bug, you might also want to think about other services running as part of your app stack –

Typically, OpenSSL implementations are present on third-party proxy servers like Apache, nginx, and HAProxy. If your Couchbase Server is behind such a server that uses OpenSSL 1.0.1 – 1.0.1f, you should patch up your proxy servers and restart these services. You might also consider refreshing the SSL certificates of your frontend servers.

If you are running Couchbase on Amazon EC2, you might want to check out the latest Amazon security bulletin here.

Need more information about the heartbleed bug?

  1. Original security advisory from OpenSSL- https://www.openssl.org/news/secadv_20140407.txt

  2. Some questions asked by users in the Erlang community –
    http://erlang.org/pipermail/erlang-questions/2014-April/078538.html
    http://erlang.org/pipermail/erlang-questions/2014-April/078537.html

Thank you for your continued support, and stay safe!

 

Posted by Don Pinto

Don Pinto is a Principal Product Manager at Couchbase and is currently focused on advancing the capabilities of Couchbase Server. He is extremely passionate about data technology, and in the past has authored several articles on Couchbase Server including technical blogs and white papers. Prior to joining Couchbase, Don spent several years at IBM where he maintained the role of software developer in the DB2 information management group and most recently as a program manager on the SQL Server team at Microsoft. Don holds a master's degree in computer science and a bachelor's in computer engineering from the University of Toronto, Canada.

2 Comments

  1. On Microsoft Windows operating system, certain tools scanning for the vulnerable libraries may identify Couchbase Server versions as vulnerable to the heartbleed issue. Because Couchbase Server does not utilize the functionality of OpenSSL that is vulnerable, it is NOT affected by this bug.

Leave a reply