News and Events

Heartbleed Bug in OpenSSL, Possible Vulnerability for HTTPS Websites
8 Apr 2014

A software bug called Heartbleed has a significant impact on systems that use OpenSSL. Additional information may be found at:

Heartbleed attacks the heartbeat extension (RFC 6520) implemented in OpenSSL, and allows an attacker to read the memory of the affected system over the Internet. The bug can allow the attacker to compromise the private keys, as well as protected user names, passwords, or content. A Heartbleed compromise is not logged and is difficult to detect.

Heartbleed is not a flaw with the SSL/TLS protocol, nor is it a problem with the digital certificate or the certificate authority (CA) system. Heartbleed is an implementation bug in specific versions of OpenSSL: 

  • The bug impacts OpenSSL versions 1.0.1 through 1.0.1f. The vulnerability appeared in March, 2012. 
  • The fix is included OpenSSL version 1.0.1g released on April 7, 2014. 
  • The 0.9.8 and 1.0.0 versions of OpenSSL are not impacted.

The impact of Heartbeat will be widely felt, affecting both servers and clients. For example, Apache and NGINX, which account for roughly two-thirds of web servers, use OpenSSL. Netcraft reports that more than half a million servers may be affected by Heartbleed (depending on which version of OpenSSL they have implemented).

We recommend that customers review the detailed links above and test their SSL site for Heartbleed and other vulnerabilities using the tool at https://www.ssllabs.com/ssltest/

Customers using an affected version of OpenSSL should: 

  • Upgrade affected systems to a software version that uses OpenSSL 1.0.1g or higher. Customers may require a new release from their software vendor. 
  • Renew SSL certificates on affected systems with a new private key.  Do not reuse existing CSR/private keys!  Ensure the previous certificate is revoked.
  • Ask users to change their passwords.