Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

OpenSSL Heartbleed Security Update

DZone's Guide to

OpenSSL Heartbleed Security Update

· Cloud Zone
Free Resource

Linkerd, the open source service mesh for cloud native applications. Get the complete guide to using Linkerd and Kubernetes to build scalable, resilient applications.

[This article originally written by Christian Wright.]

On Monday, the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, also known as “Heartbleed”. This serious vulnerability affects a substantial number of applications and services running on the Internet, including the CloudPassage Halo™ service. As of Tuesday, April 8th at 2:30pm PDT, all CloudPassage production systems have been updated and are no longer vulnerable. All communication between the Halo agents and the Halo analytics engine use message-level encryption, encrypting each payload, in order to mitigate SSL vulnerabilities at the transport layer.

Vulnerability Details

This vulnerability can be remotely exploited to leak encryption secrets from OpenSSL-encrypted sessions, allowing an attacker to retrieve private key material. The vulnerability stems from the way that OpenSSL handles the heartbeat extension in the TLS protocol. The OpenSSL Project has already provided a version that patches this bug and many of the major Linux distributions have already provided updated versions via their regular package management services.

Steps We Have Taken

  • Tested and deployed patches to all production systems and restarted the affected services.
  • As a precaution we’ve had our SSL certificates re-issued using new keys.

What You Can Do

We encourage all CloudPassage customers to update their CloudPassage account passwords. We have not found any evidence that any passwords have been compromised, but given the amount of time that this vulnerability was in existence the safest thing to do for your account is to rotate your CloudPassage credentials. We also recommend turning on Two Factor Authentication for accessing your Halo™ account as an additional layer of protection.

We are continuing to monitor this vulnerability and will post updates as things progress.

Future details on the vulnerability can be found at the following sites:

http://heartbleed.com/
https://isc.sans.edu/forums/diary/OpenSSL+CVE-2014-0160+Fixed/17917
https://access.redhat.com/site/solutions/781793
http://discourse.ubuntu.com/t/the-heartbleed-bug/1607

Linkerd, the open source service mesh for cloud native applications. Get the complete guide to using Linkerd and Kubernetes to build scalable, resilient applications.

Topics:

Published at DZone with permission of Tatiana Crawford, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}