What is this?

Heartbleed is in reference to a vulnerability has recently been disclosed in OpenSSL which affects CentoOS 6.5 or Debian 7 operating systems. Since we run a CentOS based operating system on all of our servers this announcement impacted us as well. 

This issue is known as the "heartbleed" bug. Further technical information may be found at the Heartbleed information site. It has been assigned the ID CVE-2014-0160 [2] in the Common Vunerabilities and Exposures database.

http://heartbleed.com/

What have we done?  Are our servers now fixed?

CentOS and Debian have patched this vulnerability as of April 7th, 2014. All of our server have subsequently been patched and are no longer vulnerable.  This required an update to the OpenSSL packages and restarting all the services that use OpenSSL.  As an extra precaution we also rebooted all of our server to ensure that every service was properly using the updated OpenSSL package.  

This vulnerabiltiy has been in existance for some time and there is no way to know there was an impact or not. To further reduce this risk all of SSL certificates have been reissued with new keys. 

Further Actions

There are no further action required on our part, we have patched the OpenSSL package and reissued all of our SSL certificates.  If you have purchased a Rapid SSL certificate it would be highly recommended to have that certificate reissued as it is theoretically possible that someone could have your private key. You can have your certificate reissued through the following website free of charge:

http://www.geotrust.com/support/ssl-certificate-reissuance/

If you are in doubt or maybe you want to check another server you are hosting please use this link to verify the system is patched: http://filippo.io/Heartbleed/

Of course if you have any questions please do let us know.


mercredi, avril 9, 2014

« Retour