Last week, industry security researchers announced a flaw in the OpenSSL encryption software library, known as “Heartbleed,” which can be used to cause a vulnerable system to reveal up to 64k of memory to an attacker.
Adobe has evaluated the Creative Cloud and its related services (including Behance and Digital Publishing Suite), the Marketing Cloud solutions and products (including Analytics, Analytics Premium and Experience Manager), EchoSign, Acrobat.com, the Adobe.com store, and other Adobe services. All Adobe internet-facing services known to have been using a version of OpenSSL containing the Heartbleed vulnerability have been mitigated. We are continuing our analysis of Adobe internet-facing servers to identify and remediate any remaining Heartbleed-related risks.
Some Adobe products and services do not bundle OpenSSL (such as
ColdFusion** , Experience Manager and Experience Manager On-Demand) but are frequently deployed by customers on-premise or with third party web servers. We advise these customers to test for the Heartbleed vulnerability (CVE-2014-0160) against their deployment and configuration. If necessary, follow the recommendations provided by the OpenSSL security advisory as appropriate.
At this time, Adobe does not plan to initiate a password reset in response to the Heartbleed vulnerability; however it is always a good practice to change passwords from time to time. We strongly recommend that you change your Adobe password if you use the same user ID and password as your AdobeID and password on multiple websites, so that a compromise of your username and password on a non-Adobe service does not put your Adobe ID at risk.
** Update: ColdFusion does ship a version of OpenSSL that is not vulnerable to the Heartbleed vulnerability.