Phoenix Software’s Response to Customer Concerns Regarding the Heartbleed Bug
Phoenix Software International is aware of the issues associated with the “Heartbleed Bug” (CVE-2014-0160) and has investigated our exposure to this issue. We have determined that our public server uses OpenSSL version 1.0.0, which is known to have no exposure to this exploit. This server is the only public-facing system that customers have access to. Phoenix Software’s office connection to the Internet is through Cisco ASA firewall/VPN devices which Cisco has certified as being free from this exposure.
Any customer data provided to Phoenix is stored in a secure manner either on Microsoft Windows-based systems, Red Hat Enterprise Linux systems or IBM mainframe-based systems. Windows, IBM z/OS, and IBM z/VM are not vulnerable to “Heartbleed” as these systems do not use OpenSSL. Our internal RHEL systems have been checked and also found to be using OpenSSL version 1.0.0.
Based on these observations, it is Phoenix Software International’s considered opinion that we have no systems which customer data might transit through or be stored on that are vulnerable to the Heartbleed Bug. We continue to monitor this issue and will provide additional information as appropriate.