While we have not found any signs that Sauce Labs or its users were negatively impacted by the Heartbleed vulnerability, we take security very seriously and are taking steps to remediate any exposures relating to it. This blog post is part of that effort.
We have determined that the Heartbleed vulnerability has no impact on the Sauce Labs web interface or REST API. However, Sauce Connect is affected by the vulnerability. Users of Sauce Connect should read more below.
Again, if you are not using Sauce Connect, this vulnerability had no impact on your Sauce Labs tests. For the Sauce Labs web interface and REST API we use an unaffected version of OpenSSL. This can be validated here:
IMPORTANT: For Customers Using Sauce Connect
For our customers who use Sauce Connect to test their applications behind their firewall, we have no specific evidence that data has been compromised. We have now updated our Sauce Connect servers so they are no longer vulnerable to new attacks enabled by the Heartbleed bug.
During the period of time when the Sauce Connect servers were vulnerable, attackers may have gained access to customer test data (traversing the Sauce Connect tunnel). If that has occurred, attackers may have the ability to similarly compromise future Sauce Connect 4.0 and 3.0 sessions. Again, we have no specific evidence that this has actually occurred.
As part of closing this potential vulnerability we have updated our certificates for Sauce Connect in version 4.1, and released a version 3.1 with updated certificates for those customers who prefer to stay with the 3.x line for now.
Customers will need to:
- Upgrade to Sauce Connect 4.1 or 3.1 as soon as possible:
Sauce Connect 4.1 OS X: https://saucelabs.com/downloads/sc-4.1-osx.zip Linux: https://saucelabs.com/downloads/sc-4.1-linux.tar.gz Windows: https://saucelabs.com/downloads/sc-4.1-win32.zip Sauce Connect 3.1 (cross-platform): https://saucelabs.com/downloads/Sauce-Connect-3.1-r32.zip
- Change all passwords that could potentially have been affected if an attacker did have access to test sites and commands.
We hope this email answers your questions about the impact of CVE-2014-0160 on your Sauce Labs applications. Feel free to reply back to this email to reach our Customer Support team with follow up questions. Sincerely, The Sauce Labs Team