Chances are, you’ve already heard about the recent discovery of what’s being called the “Heartbleed” bug in OpenSSL. Basically, this is a vulnerability that existed in OpenSSL for around 2+ years. The vulnerability was basically a gap where encrypted information could potentially be leaked out to hackers. It is important to note that this is NOT due to a flaw in SSL, but rather the platform and implementation of the latest batch of OpenSSL updates.
It was announced that OpenSSL versions 1.01 through 1.0.1f have this critical bug in their implementation of TSL Heartbeat Extension. Its official reference is CVE-2014-0160. It is important to note that OpenSSL versions 1.0.1g, 1.0.0, and 0.9.8 are NOT vulnerable.
How is RedOrum affected?
RedOrum has certain services that we offer that do contain versions of OpenSSL that is affected by the vulnerability. You may or may not be using a service that is affected by it, but if you do, we want to assure you that we’ve done our leg work to ensure there’s no potential risks. As soon as we became aware of the issue, we immediately began working with our strategic partners and vendors to patch the affected products within hours of the bug announcement leaving you to continue using our service without any interruption. During the process we experienced no issues and maintained the integrity of our hosted services. [Original Blog Announcement]
Do I need to do anything else?
If you purchased an SSL certificate from RedOrum, you should revoke your old key and have a new key reissued (a process known as “rekeying”). You should generate a new public-private key pair when generating your CSR and provide it to us to get the certificate re-issued.
If you have certain services internally using OpenSSL, you should upgrade to the latest OpenSSL.
Should you require any further information, please feel free to get in touch with us at firstname.lastname@example.org or call us at 858.368.4545
How bad is this Heartbleed Bug?
It’s really bad. Web servers can keep a lot of information in their active memory, including user names, passwords, and even the content that user have uploaded to a service. But worse even than that, the flaw has made it possible for hackers to steal encryption keys, the codes used to turn gibberish encryption into readable information.
For more information regarding the Vulnerability, an extensive FAQ is available through the site www.heartbleed.com.
Initial RedOrum announcement: [Critical Security Alert] CVE-2014-0160-OpenSSL Private Key Bug