Over a million developers have joined DZone.

OpenSSL Heartbleed Security Update

· Cloud Zone

Download the Essential Cloud Buyer’s Guide to learn important factors to consider before selecting a provider as well as buying criteria to help you make the best decision for your infrastructure needs, brought to you in partnership with Internap.

[This article originally written by Christian Wright.]

On Monday, the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, also known as “Heartbleed”. This serious vulnerability affects a substantial number of applications and services running on the Internet, including the CloudPassage Halo™ service. As of Tuesday, April 8th at 2:30pm PDT, all CloudPassage production systems have been updated and are no longer vulnerable. All communication between the Halo agents and the Halo analytics engine use message-level encryption, encrypting each payload, in order to mitigate SSL vulnerabilities at the transport layer.

Vulnerability Details

This vulnerability can be remotely exploited to leak encryption secrets from OpenSSL-encrypted sessions, allowing an attacker to retrieve private key material. The vulnerability stems from the way that OpenSSL handles the heartbeat extension in the TLS protocol. The OpenSSL Project has already provided a version that patches this bug and many of the major Linux distributions have already provided updated versions via their regular package management services.

Steps We Have Taken

  • Tested and deployed patches to all production systems and restarted the affected services.
  • As a precaution we’ve had our SSL certificates re-issued using new keys.

What You Can Do

We encourage all CloudPassage customers to update their CloudPassage account passwords. We have not found any evidence that any passwords have been compromised, but given the amount of time that this vulnerability was in existence the safest thing to do for your account is to rotate your CloudPassage credentials. We also recommend turning on Two Factor Authentication for accessing your Halo™ account as an additional layer of protection.

We are continuing to monitor this vulnerability and will post updates as things progress.

Future details on the vulnerability can be found at the following sites:

http://heartbleed.com/
https://isc.sans.edu/forums/diary/OpenSSL+CVE-2014-0160+Fixed/17917
https://access.redhat.com/site/solutions/781793
http://discourse.ubuntu.com/t/the-heartbleed-bug/1607

The Cloud Zone is brought to you in partnership with Internap. Read Bare-Metal Cloud 101 to learn about bare-metal cloud and how it has emerged as a way to complement virtualized services.

Topics:

Published at DZone with permission of Tatiana Crawford, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}