We came across this article from IBM addressing the issue regarding RC4 vulnerability in SSL/TLS protocol:
The page has instructions on how to disable the weak RC4 ciphers for the IBM i. We recommend checking out the article in order to make sure your Clover, Nexus, Presto and WebSmart ILE/PHP Apache servers with SSL enabled are secured.
We’re happy to report that the OpenSSL Heartbleed vulnerability, also known as CVE-2014-0160, does not affect any BCD products. Here are the specific details about each product:
- WebSmart ILE, Clover, Presto and Nexus use the IBM i HTTP Server, which is not affected by the Heartbleed bug, as reported by IBM.
- WebSmart/Clover SSL client (initssl(), posturl(), and other SSL functions) uses GSKit, which isn’t affected.
- Zend Server and WebSmart PHP, e.g. openSSL functions, are not affected. Zend Server uses the IBM 5733SC1 component, which uses OpenSSL version 0.9.8. This version is not vulnerable.
You can verify your OpenSSL version by logging into a green screen session and entering:
- STRQSH [enter]
- openssl version [enter]
You can also check your OpenSSL version via PHP script. Run the following script and you’ll see the version under the SSL Version section: <?php phpinfo(); ?>
Our customer portal, myBCDsoftware.com, uses Nexus and the IBM i HTTP Server, and therefore wasn’t affected. If you use the same user id/password on other sites that might be affected by the bug, we recommend that you consider changing your myBCD password.
We also recommend looking into the Heartbleed bug further and how it might impact other areas of your network, including VPN. IT Jungle’s Heartbleed Post-Mortem article is a good place to start and recommends changing your IBM i passwords for powerful users and administrators.
If you have any questions, please get in touch with Technical Support.