Over a million developers have joined DZone.

OpenSSL Heartbleed Security Update

DZone's Guide to

OpenSSL Heartbleed Security Update

· Cloud Zone ·
Free Resource

Discover a centralized approach to monitor your virtual infrastructure, on-premise IT environment, and cloud infrastructure – all on a single platform.

[This article originally written by Christian Wright.]

On Monday, the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, also known as “Heartbleed”. This serious vulnerability affects a substantial number of applications and services running on the Internet, including the CloudPassage Halo™ service. As of Tuesday, April 8th at 2:30pm PDT, all CloudPassage production systems have been updated and are no longer vulnerable. All communication between the Halo agents and the Halo analytics engine use message-level encryption, encrypting each payload, in order to mitigate SSL vulnerabilities at the transport layer.

Vulnerability Details

This vulnerability can be remotely exploited to leak encryption secrets from OpenSSL-encrypted sessions, allowing an attacker to retrieve private key material. The vulnerability stems from the way that OpenSSL handles the heartbeat extension in the TLS protocol. The OpenSSL Project has already provided a version that patches this bug and many of the major Linux distributions have already provided updated versions via their regular package management services.

Steps We Have Taken

  • Tested and deployed patches to all production systems and restarted the affected services.
  • As a precaution we’ve had our SSL certificates re-issued using new keys.

What You Can Do

We encourage all CloudPassage customers to update their CloudPassage account passwords. We have not found any evidence that any passwords have been compromised, but given the amount of time that this vulnerability was in existence the safest thing to do for your account is to rotate your CloudPassage credentials. We also recommend turning on Two Factor Authentication for accessing your Halo™ account as an additional layer of protection.

We are continuing to monitor this vulnerability and will post updates as things progress.

Future details on the vulnerability can be found at the following sites:


Learn how to auto-discover your containers and monitor their performance, capture Docker host and container metrics to allocate host resources, and provision containers.


Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}