The Heartbleed bug and Exelis VIS products

The Heartbleed bug is a security flaw found in the OpenSSL library which is used by many popular websites. In other words, Heartbleed is a vulnerability in the above mentioned cryptographic library. This article provides information about whether or not the bug creates potential vulnerabilities within Exelis software products, and what actions our customers can take to reduce risk.  We are pleased that the majority of our products are not vulnerable to the bug, and that negative effects to our customers will be minimal. See below for detail.

The official reference to this bug is CVE-2014-0160.

• IDL - No action is required customers. IDL ships with a version of the OpenSSL library which is vulnerable to the Heartbleed exploitation. However, due to the nature and intent of the functionality, it is not utilized in a manner that could be exploited.

• ENVI - No action is required by customers. Since ENVI includes IDL, it also ships with a version of the OpenSSL library with the Heartbleed bug, but it is not used in a manner that can be exploited as explained above.

• ENVI Services Engine - The vulnerability of the ENVI Services Engine is determined by the security of the  operating system on which it is installed. Therefore, customers should confirm that the operating system is patched, secure and up to date (particularly the SSL library). In other words, we are utilizing the SSL capability at run time, meaning that the security of the underlying OS (in particular the SSL library) determines the ESE vulnerability.

• Exelis VIS Website (log in credentials, eCommerce, etc) - Not compromised by this issue and therefore no action is required by customers.

reviewed 4/21/14 KM & KK