Overview
Urchin 4 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. The Apache webserver shipped with Urchin is built with SSL support, although it is not enabled by default. Per the following security advisory:
there is a vulnerability in OpenSSL that may potentially allow encrypted information to be viewed.Impact on Urchin Customers
Beginning with Urchin 4.100, the Apache webserver shipped with Urchin has included OpenSSL. All versions of Urchin from Urchin 4.100 through Urchin 4.106 include a version of OpenSSL that is vulnerable to the timing attack.
Given that SSL support is not enabled by default, and that the vulnerability presents no threat to system security, Urchin Software Corporation will not be releasing a fix for this issue as no further development is being done on Urchin 4. Customers are urged to upgrade to the latest release of Urchin instead.