(Updated April 15 to include recommendation to update shared credentials)
While the OpenSSL Heartbleed bug continues to feed a patching frenzy across the Internet, those using PingFederate, PingOne and/or PingAccess can rest easy.
None of our platforms is vulnerable to the bug. No updates or patches are required. However, customers that share certificates across applications and platforms, including PingFederate, should exercise due diligence on their non-Ping platforms. Ping recommends that credentials at risk should be changed out. The change would include any private keys, passwords, shared secrets, and any other credentials on the application that might be used for authentication to PingFederate, or that have some other shared usage within PingFederate. No updates or patches are needed for the Ping software.
Ping's Security Engineering confirms that PingFederate does not use the affected software. But for the sake of transparency, customers should note that we do distribute and use OpenSSL with our Apache Integration Kit for Windows, but our package does not contain the vulnerable code, we don't use it to run HTTPS, and it's not a method that is exposed.
In addition, our Apache Integration Kit for Linux is dependent on the OS's OpenSSL library, but we do not distribute the library - just use it. But it is key to note that we aren't using the library in a way that is exposed. However, PingFederate may be exposed indirectly to Heartbleed when configurations of PingFederate incorporate certificates created or used by another application or platform that has been compromised, e.g. a shared certificate. Follow our recommendations listed here.
In addition, Beau Christensen, Ping's director of infrastructure operations, confirmed that Ping Identity's cloud services, notably PingOne, are not affected by the Heartbleed vulnerabilities. He said that as a precautionary measure, "we are forcing credential updates across all systems, and are rotating public certificates and keys." His full report is available here.
Also, the engineering team for PingAccess, our mobile, Web and API access management platform, confirmed it was not affected by the bug.
Brian Whitney, Beau Christensen, Paul Marshall, Stephen Edmonds, Andrew King, Bill Jung, Yang Yu and John Fontana contributed to this blog.