Solution

Heartbleed Bug in OpenSSL

A new threat called the Heartbleed bug has a significant impact on systems that use OpenSSL. Additional information may be found at:

• http://heartbleed.com/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL, and allows an attacker to read the memory of the affected system over the Internet. The bug can allow the attacker to compromise the private keys, as well as protected user names, passwords, or content. A Heartbleed compromise is not logged and is difficult to detect.

Heartbleed is not a flaw with the SSL/TLS protocol specification, nor is it a flaw with the digital certificate or the certificate authority (CA) system. Heartbleed is an implementation bug in specific versions of OpenSSL:

• The bug impacts OpenSSL versions 1.0.1 through 1.0.1f. The vulnerability appeared in March, 2012.
• The fix is included OpenSSL version 1.0.1g released on April 7, 2014.
• The 0.9.8 and 1.0.0 versions of OpenSSL are not impacted.

The impact of Heartbeat will be widely felt, affecting both servers and clients. For example, Apache and NGINX, which account for roughly two-thirds of web servers, use OpenSSL. Netcraft reports that more than half a million servers may be affected by Heartbleed.

OpenSSL is also used in operating systems such as Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3 and 5.4, FreeBSD 8.4 and 9.1, NetBSD 5.0.2 and OpenSUSE 12.2.

We recommend that customers review the detailed links above and test their SSL site for Heartbleed and other vulnerabilities using the tool at https://www.ssllabs.com/ssltest/

Customers using an affected version of OpenSSL should:

• Upgrade affected systems to a software version that uses OpenSSL 1.0.1g or higher. Customers may require a new release from their software vendor.
• Renew SSL certificates on affected system with a new private key.
• Ask users to change their passwords.