IMPORTANT SECURITY ADVISORY REGARDING THE HEARTBLEED BUG
A serious vulnerability named the Heartbleed bug was announced Monday night (04/07/2014) in OpenSSL* (version 1.01 and OpenSSL beta 1.0.2); the popular open source cryptographic library.
*OpenSSL is an open source implementation of the SSL and TLS protocols. For more information visit www.openssl.org
If you are using Nginx or Apache there is a high probability that you are running OpenSSL. The Heartbleed vulnerability is something OpenSSL users should take very seriously as it enables an adversary to obtain data from portions of the web server memory. This data can include sensitive material such as the server’s private key, but is not limited to that, any data that is in memory on the server is at risk including sensitive customer data as well. This is not limited to web servers, if you use a SSL based VPN that leverages OpenSSL you may also be at risk. Access to this type of sensitive data creates a serious vulnerability because attackers can use it to decrypt past communications (when Perfect Forward Security (PFS) is not configured), steal critical data and in the case of a private key compromise, enable the attacker to impersonate the associated server.
RESOLUTION AND RECOMMENDATIONS
We strongly recommend anyone using OpenSSL to:
- Verify what version of OpenSSL they are running and upgrade their systems to the appropriate fix from OpenSSL.
- Request a reissue (with new private key) for SSL certificates that were installed on affected servers, install the new certificate, then request a revocation of the old certificate.
- Use the SSL Configuration Checker Tool at trustzone.ssllabs.com to test if your server is affected by the Heartbleed vulnerability.
If one or more of your certificates are affected by the Heartbleed bug, you can free of charge order a re-issue of your certificate by submitting a new certificate request.
If you have access to TRUSTZONE Certificate Center or TRUSTZONE Managed SSL, please submit your re-issue request via your portal, and afterwards request a revocation of the old certificate.
For more information about the Heartbleed bug please visit heartbleed.com