Production Expert

View Original

Some Avid Products Vulnerable To Heartbleed Bug

Russ Hughes

Avid is advising customers that some of its products are affected by the Heartbleed bug in an Avid Knowledgebase article posted May 1st 2015.

In the article Avid states;

“Avid is actively responding to a vulnerability in the OpenSSL cryptographic library, commonly known as “Heartbleed” (CVE-2014-0160). This FAQ describes how Heartbleed affects Avid customers and the actions we’re taking to protect our customer’s products and data.”

Avid Products Affected By The Heartbleed Bug

They go on to outline which products have vulnerabilties;

Q:  What Avid products are affected?
A:  Avid continuously monitors its products for security vulnerabilities.  Avid currently has identified the following impact:
  • Pro Tools 11.1.2 and 10.3.8 - Login credentials used with SoundCloud and Gobbler from within the Pro Tools application are vulnerable (note that license activation using iLok License Manager or activating within Pro Tools 11 is not affected).  This will be addressed in future updates.  Pro Tools users will be notified of available updates automatically via the SoftwareUpdater and the Pro Tools Patch Updates page (go to that page and click Subscribe to be notified when that page is updated). UPDATE 5/1/2014: Pro Tools 10.3.9 and 11.1.3 have been released to address this.
  • ISIS Management Console - Login credentials used to access ISIS administration utility are affected.  The ISIS administration utility is generally not accessible outside of a customer firewall, thus the exposure to the Heartbleed bug is minimal for most users.  This vulnerability will be addressed in a future update.  Please check this page for further updates.
  • iNEWS - Login credentials to iNEWS server and client applications are affected.  All users should update the RedHat 6.5 OS version with the hotfix available here.  Please contact Avid’s Customer Success team if assistance is needed to perform this update.”

Avid Web Services Affected By The Heartbleed Bug

Most Avid web services remained unharmed except for https:/transfer.avid.com

A fully documented response by Avid to the Heartbleed Bug can be found here