Extracted from Sonatype OpenSSL Heartbleed coverage....
From our Chief Security Officer…
We became aware of an issue affecting OpenSSL on Monday, April 7th, and have confirmed that none of our commercial or open source services were affected.
However, if you have been using a password to access your account with us that has also been used to access sites not owned by Sonatype you may still be vulnerable. This is because the password may have been compromised on a site not owned by Sonatype. Users who have been reusing passwords in this manner are encouraged to reset their Sonatype password.
To set your password log into our Jira instance at https://issues.sonatype.org and select your profile from the drop down menu in the upper right corner, then click on "change password". All of our customer facing systems use the same back end authentication system, so changing your password on Jira will change it for all of our sites.
If you've forgotten your password you can reset it here.
Q. Are Sonatype products vulnerable to Heartbleed?
A. Nexus and CLM products are not vulnerable since they use Java and Java does not depend on OpenSSL.
If you protect our self-hosted server products with a reverse proxy server, such as Apache httpd or Nginx, and those servers were dependent on one of the affected OpenSSL libraries, then this might make authentication to our products indirectly vulnerable.