Overview
Urchin 5 ships with an embedded Apache webserver that provides access to the web-based Urchin administration and reporting functions. The Apache webserver shipped with Urchin is built with SSL support, although it is not enabled by default. Per the following security advisory:
several vulnerabilities in the OpenSSL SSL/TLS library could allow an unauthenticated, remote attacker to cause a denial of service.Impact on Urchin Customers
Beginning with Urchin 4.100, the Apache webserver shipped with Urchin has included OpenSSL. All versions of Urchin from Urchin 4.100 through Urchin 4.106 include a version of OpenSSL that is vulnerable to this denial of service attack.
Given that SSL support is not enabled by default, and that the vulnerability presents no threat to system security, Urchin Software Corporation will not be releasing a fix for this issue as no further development is being done on Urchin 4. Customers are urged to upgrade to the latest release of Urchin instead.