Load balancers that use OpenSSL

Heartbleed

A list of market leading load balancers that use OpenSSL to protect HTTP and FTP traffic includes F5, Citrix, Radware, Riverbed, and Barracuda.  Load balancers spread traffic amongst multiple servers and enable high availability for business transactions. They serve as a central conduit for critical business transactions. The load balancer vendors have done a good job in patching their products to prevent the latest OpenSSL vulnerability: Heartbleed.

  1. F5 BIG-IP Load Traffic Manager:  OpenSSL code base is used extensively in F5 LTM product line as well as other F5 products. Details of OpenSSL patch advisories are provided by F5 with the versions that are vulnerable. Note that versions below 11.0.0 are not vulnerable since they use an older version of OpenSSL.
  2. Citrix NetScaler: OpenSSL is widely used in NetScaler.  An older version of OpenSSL is deployed in NetScaler.  As per their Product Manager, they patch their code base but keep the OpenSSL version numbers to older version. The security advisory issued by Citrix states that NetScaler is immune to Heartbleed because of the TLS libraries used.
  3. Radware App Director:  A variety of Radware products use OpenSSL including AppDirector 2.31x and 2.35.  However, older versions of OpenSSL 0.9.8  are being used.
  4. Riverbed Traffic Manager:  Stingray Traffic Manager products along with other products in the Riverbed product portfolio use OpenSSL. Their security advisory states that the OpenSSL version used is not vulnerable to Heartbleed.
  5. Barracuda Load Balancer: OpenSSL is used in a number of Barracuda products including Barracuda Load Balancer ADC version 5.0 through version 5.1 and Barracuda Load Balancer version 4.2. Details of OpenSSL Heartbleed vulnerability in Barracuda products are available in their Tech Alert.

For a history of OpenSSL vulnerabilities, visit OpenSSL.

There are a few major trends that emerge from reviewing documentation, security advisories, and support blogs:

  1. OpenSSL is extensively used by all leading load balancers.
  2. Load balancer vendors that did not stay current for over 2 years with the latest OpenSSL libraries and are still using OpenSSL 0.9.x may have avoided Heartbleed.
  3. OpenSSL is used in varying degrees by load balancers.  Most claim to use it only for their management interface.

Here is a detailed writeup for Reducing Load Balancers exposure to OpenSSL Heartbleed.