Heartbleed Bug and Acronis Software

Heartbleed bug and Acronis Software

This article applies to:

Acronis Software
Heartbleed bug discovered in the open-source cryptography library OpenSSL

Acronis Products not affected by the Heartbleed bug

Acronis Backup 11.5 (Acronis Backup & Recovery 11.5) uses OpenSSL toolkit v.1.0.0d, which is not vulnerable.
Acronis True Image 2014 uses OpenSSL toolkit v.1.0.0c, which is not vulnerable.
Acronis Snap Deploy uses OpenSSL toolkit v.1.0.0d, which is not vulnerable.
Acronis Cloud Storage uses uses OpenSSL toolkit v.1.0.1g, which is not vulnerable.
MassTransit uses OpenSSL 0.9.8q, which is not affected by the exploit.
ExtremeZ-IP does not use any OpenSSL code related to SSL certificates.
Other Acronis products do not use any OpenSSL code and are unaffected by the vulnerability.

Affected products

Acronis Access – 6.0.0 and 6.0.1 versions
mobilEcho – 5.0.X and 5.1.X versions
activEcho – 2.X and 3.X versions

Solution: Acronis has released Acronis Access 6.0.2 which includes a fix for the Heartbleed security bug. All later versions will also have the fix included.

Read the section if you are using an affected version of Acronis Access, or the predecessor products mobilEcho / activEcho

Impact

The Heartbleed vulnerability affected the Apache Tomcat component included in the following Acronis products:

Acronis Access 6.0 and 6.0.1
activEcho 2.0 through 5.1.3
mobilEcho 5.0 through 5.1.3

Note that the Apache Tomcat component only relates to the web site and desktop sync functionality of the above products. The Access Gateway Server, which handles connections from mobile devices, uses the built-in Windows HTTPS server capability and was not affected. If you only have the Gateway Server exposed to the Internet your risk is lower, but we still recommend upgrading or patching the Tomcat component even if it's only accessible on your internal network.

Solution

Option 1: Upgrade to Acronis Access 6.0.2 or later, available from http://www.grouplogic.com/web/aalatest

Option 2: Drop in the patch for earlier affected versions:

Download a 32-bit or 64-bit version of the Acronis patch that fixes the exploit:

Open the Services control panel and stop the Tomcat service (typically named: Acronis Access Tomcat)
Determine whether you are running the 32-bit or 64-bit version of Tomcat and navigate to the appropriate folder (Most users will need 64-bit):
If you have a 64-bit version of Windows OS, the default location is usually located in:
- C:\Program Files (x86)\Group Logic\Common\apache-tomcat-7.0.42\bin
- C:\Program Files (x86)\Acronis\Access\Common\apache-tomcat-7.0.42\bin
Note: In order to keep all the Acronis Access files together, the 64-bit version of Tomcat is installed in Program Files (x86) even though that installation directory is typically where the 32-bit applications are installled.

If you have a 32-bit version of Windows OS, the default location is usually located in:
- C:\Program Files\Group Logic\Common\apache-tomcat-7.0.42\bin
- C:\Program Files\Acronis\Access\Common\apache-tomcat-7.0.42\bin
Download the Acronis patch that fixes the exploit:

For 32-bit versions of Windows OS: tcnative_x32.zip

For 64-bit versions of Windows OS: tcnative_x64.zip

4. Move the old tcnative-1.dll file our of the bin directory

6. Copy the downloaded tcnative-1.dll file into the Tomcat bin directory

7. Start the Acronis Access Tomcat service

8. Test your site: http://filippo.io/Heartbleed/

For general information on the Heartbleed issue, see http://heartbleed.com/

Knowledge Base

47016: Heartbleed Bug and Acronis Software

use Google Translate

Applies to:

Tags: