Recently the Heartbleed Bug, known more officially as CVE-2014-0160, was discovered and found to exploit vulnerabilities in 1.0.1 and 1.0.2 of OpenSSL. See the National Vulnerability Database Summary and the OpenSSL Security Advisory.
We wanted to update the community on the vulnerability (or, happily, mostly lack thereof) of various Sencha web services due to Heartbleed. After reviewing our web services and products, we have determined that they have not been vulnerable to Heartbleed, with one specific exception that only affects users of Sencha Space on a device running Android 4.1.1.
The Space Android 4.1.1 client in question inherits a vulnerability from the Android 4.1.1 system library, which is known to be vulnerable to Heartbleed. Even though Google has distributed patches to its mobile partners, it’s likely that it will take quite a while for all Android 4.1.1 devices to be patched "in the wild."
A successful exploitation of this Android vulnerability requires the user to also navigate to a malicious server — a task which is possible but difficult with Space’s managed application lists. Even so, we still recommend that Space administrators manually block Android 4.1.1 clients from using Space until users patch their mobile devices.
More information regarding Heartbleed and Android 4.1.1 is available here.
If you have any questions, please contact us via our General Discussion forum.