Knowledge Base

Heartbleed Bug: Flaw in OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1

On April 7, 2014, the Heartbleed bug was revealed to the Internet community. The Heartbleed bug is not a flaw in the SSL or TLS protocols; rather, it is a flaw in the OpenSSL implementation of the TLS/DTLS heartbeat functionality. The Heartbleed Bug allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols without leaving a trace.
 

This only affects you if you are running OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1, or if you are running software that is using affected versions of the OpenSSL library.

The steps to secure your environment against the Heartbleed Bug vulnerability must be done in the following order. For example, you must not do step six (reset passwords) before you have completed steps 1 – 5, or else your reset passwords may still be exposed.

1. Detect if you are vulnerable to the Heartbleed Bug attack
   
   
   • For fast checking
     If you only have a few public-facing servers to check, use our SSL Server Checker
     
     
   •  For thorough checking
     Use DigiCert Discovery to detect if you are vulnerable to the Heartbleed Bug attack.
     
     If you are vulnerable to a Heartbleed Bug attack (i.e. you have servers running a vulnerable version of OpenSSL or software that is using an OpenSSL library with the Heartbleed Bug in it), you should take the following actions as soon as possible to mitigate any possible damage.  
      
2. Patch your software
   When securing your environment against the Heartbleed Bug, you need to patch OpenSSL on servers running vulnerable versions of OpenSSL and patch software that uses affected versions of the OpenSSL library. To secure your affected servers and software from the Heartbleed Bug vulnerability, take the appropriate actions to patch your servers/software:
   
   
   • Upgrade to the latest version of OpenSSL (version 1.0.1g or later)
     
     Servers
     Check your package manager for an updated OpenSSL package and install it. If you do not have an updated OpenSSL package, contact your Service Provider to obtain the latest version of OpenSSL and install it.
     
     Software
     Check for software patches that have been released to fix the Heartbleed Bug vulnerability and install them. If you do not have software patches, contact your software vendor to obtain the latest patch and install it.
     Note: You may need to restart the software after it is patched to make sure the OpenSSL library is reset and that the Heartbleed Bug is removed from cached memory.
     
     
   • Roll back to OpenSSL version 1.0.0 or earlier.
   • Recompile OpenSSL on your servers with the OPENSSL_NO_HEARTBEATS flag.
      
3. Verify that your Heartbleed Bug vulnerabilities are patched.
    
   • For thorough checking
     To scan your internal networks or multiple servers, use DigiCert Discovery to rescan your environment to make sure that you are no longer vulnerable to the Heartbleed Bug attack.
     
     
   • For fast checking
     If you only have a few public-facing servers to check, use our SSL Server Checker  
      
4. Rekey, reissue, and install your certificates.
   • You need to rekey and reissue all the certificates on your affected servers.
     When reissuing certificates, make sure that you generate new Certificate Signing Requests (CSR).
     For DigiCert customers, see Reissuing a DigiCert® SSL Certificate.
     
     
   • Then, after servers and software are patched and only after they are patched, install your reissued certificates. 
      
5. Revoke replaced certificates
   
   After installing your reissued certificates, you need to revoke the certificates that were replaced. To get your certificate revoked, contact your Certificate Authority.
   
   For DigiCert customers, do the following:
   To have your certificate revoked, contact DigiCert Support. Make sure to include your certificate's order number and a brief description of what you want revoked.
   
   
   
6. Reset passwords
   
   If your servers accept passwords, you should also have your clients reset their passwords, but only after servers and software are patched and certificates are rekeyed, reissued, installed, and revoked.
   
   Note: If clients reset their passwords before servers/software are patched and certificates are rekeyed, reissued, installed, and revoked, then their passwords were still exposed, and they must reset their passwords again.
   
   To join the conversation and get more information about the Heartbleed bug, see our blog at Heartbleed Openssl Fix/