Over a million developers have joined DZone.

OpenSSL Heartbleed Security Update

DZone's Guide to

OpenSSL Heartbleed Security Update

· Cloud Zone
Free Resource

Download this eBook outlining the critical components of success for SaaS companies - and the new rules you need to play by.  Brought to you in partnership with NuoDB.

[This article originally written by Christian Wright.]

On Monday, the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, also known as “Heartbleed”. This serious vulnerability affects a substantial number of applications and services running on the Internet, including the CloudPassage Halo™ service. As of Tuesday, April 8th at 2:30pm PDT, all CloudPassage production systems have been updated and are no longer vulnerable. All communication between the Halo agents and the Halo analytics engine use message-level encryption, encrypting each payload, in order to mitigate SSL vulnerabilities at the transport layer.

Vulnerability Details

This vulnerability can be remotely exploited to leak encryption secrets from OpenSSL-encrypted sessions, allowing an attacker to retrieve private key material. The vulnerability stems from the way that OpenSSL handles the heartbeat extension in the TLS protocol. The OpenSSL Project has already provided a version that patches this bug and many of the major Linux distributions have already provided updated versions via their regular package management services.

Steps We Have Taken

  • Tested and deployed patches to all production systems and restarted the affected services.
  • As a precaution we’ve had our SSL certificates re-issued using new keys.

What You Can Do

We encourage all CloudPassage customers to update their CloudPassage account passwords. We have not found any evidence that any passwords have been compromised, but given the amount of time that this vulnerability was in existence the safest thing to do for your account is to rotate your CloudPassage credentials. We also recommend turning on Two Factor Authentication for accessing your Halo™ account as an additional layer of protection.

We are continuing to monitor this vulnerability and will post updates as things progress.

Future details on the vulnerability can be found at the following sites:


Learn how moving from a traditional, on-premises delivery model to a cloud-based, software-as-a-service (SaaS) strategy is a high-stakes, bet-the-company game for independent software vendors. Brought to you in partnership with NuoDB.


Published at DZone with permission of Tatiana Crawford, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}