HotDocs Is Not Directly Affected by Heartbleed

HeartBleed is the name given to a bug/vulnerability discovered recently in OpenSSL’s implementation of the HTTPS/TLS protocol. It allows remote attackers to obtain potentially sensitive information (up to 64KB at a time) using specially crafted packets that trigger a “buffer over-read”. It can potentially expose passwords, usernames, private keys, and other sensitive information.

HotDocs is not affected directly, since

1) No HotDocs Software relies directly on OpenSSL libraries or code.

2) HotDocs Serveris always deployed on Windows-based servers, where OpenSSL is not present by default.

3) HotDocs Serveris typically deployed in combination with the IIS web server, which does not (by default) rely on OpenSSL.

4) HotDocs Serveris often deployed behind firewalls, where HeartBleed attacks are not likely to be as prevalent anyway.

5) HotDocs Cloud Servicesis public-facing, but again has no reliance on OpenSSL and is thereforenot vulnerableto the HeartBleed bug.

The only potential vulnerability we’re aware of would beIFsomeone deployedHotDocs Serveron a public-facing Windows server (i.e. a server not otherwise protected from public attack behind a firewall) that was running a web server besides IIS (such as Apache), configured to use HTTPS via Windows-based OpenSSL. In this case, it is the web server software on that machine that (so long as it remains unpatched) may be vulnerable to the HeartBleed bug; in this case, it would be possible for HotDocs-related data (answer collections, etc.) to be among the data that is exposed to a potential attacker.

In summary, we do not believe that the HeartBleed vulnerability affects HotDocs directly, and it is unlikely to impact our customers’ use of HotDocs except as in the relatively uncommon situation outlined above.