Q: Is Eclipse affected by Heartbleed?
A. The short answer is no.
Q: What Eclipse products use SSL?
A. Eclipse uses SSL in its application server, JBoss, and its external web server, IIS.
Q: Is the JBoss application server used by Eclipse affected by Heartbleed?
A: No. JBoss is a Java application, and it uses Java’s own SSL implementation. For more details, see this statement by the lead security architect for JBoss: http://anil-identity.blogspot.com/2014/04/jbosswildflyas-openssl-heartbleed.html
Q: Is the IIS web server used by Eclipse affected by Heartbleed?
A: No. IIS uses Microsoft’s own SSL implementation. For more details, see Microsoft’s official statement: http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
Q: Have you tested the Eclipse software to make sure that it’s not vulnerable?
A: Yes, we have tested both JBoss (Solar, Job Management) and IIS (Web Order Entry) using the open-source heartbleeder tool, and all of the Eclipse software passed the tests.
Q: How can I test my own servers for the vulnerability?
A: The easiest way to test an external, Internet-accessible web server is through a website like this one. If you need to test an internal server, you can download the heartbleeder tool, which is a simple, command-line utility that runs on multiple platforms.
Q: I know it doesn’t run on my Eclipse server, but is the Element credit card payment processing service vulnerable?
A: As far as we can tell, no, but we have yet to receive an official statement from Element. We have tested all of the web services used by Eclipse for Element payment processing (https://certtransaction.elementexpress.com, https://certreporting.elementexpress.com, https://certservices.elementexpress.com), and none of them are vulnerable.
Q: I run Red Hat Enterprise Linux, and OpenSSL is installed by default. Is my server affected?
A: Maybe. If you are running Red Hat Enterprise Linux 6.5 or above, you may be running an affected version of the openssl software. RHEL versions 6.4 an below, and all version of RHEL 5 are not affected. If you are running RHEL 6.5 or above, we recommend that you run “yum update openssl” and rebooting your server as soon as possible to install the patched version of openssl. For more information, see this article from Red Hat: https://access.redhat.com/site/solutions/781793
Q: How do you recommend that I keep my servers secure in the future?
A: Please review our list of best practices, which includes the recommendation to update your server’s software and firmware on a regular basis.
Q: You didn’t answer all of my questions!
A: Please feel free to leave a public comment below, or open a support request with our systems team.