A new threat called the Heartbleed bug has a significant impact on systems that use OpenSSL. Additional information may be found at:
Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL, and allows an attacker to read the memory of the affected system over the Internet. The bug can allow the attacker to compromise the private keys, as well as protected user names, passwords, or content. A Heartbleed compromise is not logged and is difficult to detect.
Heartbleed is not a flaw with the SSL/TLS protocol specification, nor is it a flaw with the digital certificate or the certificate authority (CA) system. Heartbleed is an implementation bug in specific versions of OpenSSL:
The impact of Heartbeat will be widely felt, affecting both servers and clients. For example, Apache and NGINX, which account for roughly two-thirds of web servers, use OpenSSL. Netcraft reports that more than half a million servers may be affected by Heartbleed.
OpenSSL is also used in operating systems such as Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3 and 5.4, FreeBSD 8.4 and 9.1, NetBSD 5.0.2 and OpenSUSE 12.2.
We recommend that customers review the detailed links above and test their SSL site for Heartbleed and other vulnerabilities using the tool at https://www.ssllabs.com/ssltest/
Customers using an affected version of OpenSSL should: