Heartbleed Bug (CVE-2014-0160) and Qt

Published Thursday April 10th, 2014 | by

Although Qt as such is not affected by the Heartbleed Bug (CVE-2014-0160) found in OpenSSL, it affects users of Qt, so I wanted to write a short summary about the topic.

As defined at http://heartbleed.com:

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Qt as such does not include OpenSSL, but when OpenSSL is installed in the system Qt applications can use it. Thus, depending on what OpenSSL version you have in the system, your Qt based application may be affected by this vulnerability if you use OpenSSL functionality. OpenSSL versions 1.0.1 older than 1.0.1g are vulnerable. Also OpenSSL versions older than 1.0.1 are recommended to be updated to 1.0.1g, although they are not subject to this vulnerability. The fix for OpenSSL is already available, and all users of vulnerable OpenSSL versions should migrate to OpenSSL version 1.0.1g or recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

The servers of Qt Project and Digia are all updated and not affected by the vulnerability any more. Those servers that may have been affected by the vulnerability are now throughly checked and certificates will be changed. Also all Qt Cloud Services have been updated to latest OpenSSL. Similarly as all Qt users leveraging OpenSSL, the users of Qt Cloud Services client library should check that they use the fixed OpenSSL version in their applications. We will send dedicated email communications to users of Qt Cloud Services about this.

We have now gone through in detail all of our around 30 Qt related services that use SSL/TLS functionality. It is always good practise to regularly change your passwords, but there is no need to do so in the Qt servers due to the Heartbleed Bug. For example Qt Account, Bugreports, qt.digia.com, qt-project.org and Codereview were never vulnerable by the Heartbleed Bug. We will revoke and change certificates as a security precaution. Some of these are already done and some are in progress.

There is also a minor risk for vulnerability via the Qt Enterprise and Qt Mobile online installers, which use https communications. Unfortunately some of the Qt online installers and the distribution servers used for Open-source downloads are affected by the Heartbleed Bug vulnerability. We are in progress of updating the installer framework and creating new installers, which are estimated to be available during next week.

We have also notified users of Qt Enterprise Embedded about the vulnerability and instructions to avoid it. Next release of the Qt Enterprise Embedded reference stack contains the fixed version of OpenSSL.

If you have any questions, please do not hesitate to contact Qt Enterprise support via your Qt Account or Qt Project security mailing list.

 

Did you like this? Share it:
Bookmark and Share

Posted in Security

3 comments to Heartbleed Bug (CVE-2014-0160) and Qt

Ian says:

The real question for Heartbleed and Qt is: what about support for CRLs? Or revoked certs of any kind… looking at QSslConfiguration and QSslSocket it’s not obvious how to revoke even a single cert (though please prove me wrong! :p)

It’s possible some miscreant out there has a huge database of compromised private keys. That’s why you changed the certificate for Qt stuff, to ensure that future communication remains secure.

But SSL isn’t just for encrypting communication, it’s also to ensure you are talking to the person you think you are talking to. How do we protect our users when there are potentially thousands of leaked private keys?

Richard Moore says:

Ian, I’ve got a large part of OCSP implemented in this branch https://qt.gitorious.org/qt/richs-qtbase/commits/f69a5ccbe0038cc2e3988663da42dc65b1485d30 feel free to help me finish it. :-)

Tuukka Turunen says:

Update on 11th April:

We have now gone through in detail all of our around 30 Qt related services that use SSL/TLS functionality. It is always good practise to regularly change your passwords, but there is no need to do so in the Qt servers due to the Heartbleed Bug. For example Qt Account, Bugreports, qt.digia.com, qt-project.org and Codereview were never vulnerable by the Heartbleed Bug. We will revoke and change certificates as a security precaution. Some of these are already done and some are in progress.

There is also a minor risk for vulnerability via the Qt Enterprise and Qt Mobile online installers, which use https communications. Unfortunately some of the Qt online installers and the distribution servers used for Open-source downloads are affected by the Heartbleed Bug vulnerability. We are in progress of updating the installer framework and creating new installers, which are estimated to be available during next week.

Commenting closed.