Heartbleed : No Effect on NovaTech Automation Products

PUBLISHED ON Apr 23, 2014

Heartbleed is a security bug in an OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This recent and much publicized vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.

NovaTech Automation OrionLX, OrionLXm, Orion5rL, Distributed Digital and Combination I/O (DDIO and DCIO) have never used a version of OpenSSL that is open to this vulnerability (CVE-2014-0160).  NovaTech Automation Orion5r and Orion5 products are not open to this vulnerability since they do not utilize OpenSSL.

Bitronics Meters and Event Recorders don’t use TLS or SSL protocols so vulnerabilities specific to the OpenSSL implementation don’t apply.

The D/3 system software (including FlexBatch, Paperless Procedures, and other layered applications) does not use OpenSSL therefore it is not affected by Heartbleed.  The only true web component we have in our system is D3Express and it uses Microsoft IIS of which the encryption component (called Secure Channel) is not susceptible to the Heartbleed vulnerability.

Therefore no action is required regarding NovaTech Automation products; this bulletin is for informational purposes only.