OpenSSL Vulnerability TLS heartbeat read overrun (CVE-2014-0160)

Heartbleed is a flaw in the implementation of OpenSSL. It is not a bug that affects the SSL/TLS protocol. If your server does not use OpenSSL then you do not need to take any further action.

If your system does use OpenSSL the following versions are affected by TLS heartbeat read overrun (CVE-2014-0160)

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable
The vulnerability could allow an attacker to reveal up to 64k of memory. This could potentially allow for the private key to be revealed.

Affected users should upgrade to OpenSSL 1.0.1g as soon as possible. Alternatively recompile OpenSSL with -DOPENSSL_NO_HEARBEATS

We also recommend that you re-issue your certificate if you are using an affected version after you have upgraded.

Next Steps

  • If you have an affected system make sure you update OpenSSL to 1.0.1g.
  • Re-issue your certificate as soon as possible per How do I re-issue my SSL certificate? Make sure you generate a new private key and CSR. Do not use the same CSR.
  • Consider carefully if you think it is necessary to revoke your old certificate. If you believe there is a danger that someone may have obtained a copy of your old private key which could be used to impersonate your site then you should revoke your old certificate:
    • Revocation is available with from the End User Portal (use the same access link as used to re-issue). Make sure you only revoke the old certificate. If you revoke the certificate you are currently using you will not be able to re-issue and your order will be cancelled.

Servertastic Customers

Some of the Servertastic systems have been using a vulnerable version of OpenSSL. This is now patched and we have re-issued our SSL certificates. For the last year we have also been using Perfect Forward Secrecy. This means even if our private key has been exposed past communications remain safe. This reduces the severity of impact on Servertastic customers.

However you can change your password from within the My Account section if you feel this is necessary, especially if you use the same password elsewhere.

Servertastic Resellers

We advise that you inform your customers about the Heartbleed bug as you deem necessary. If you use the API we also recommend you log-in to your Reseller Dashboard and regenerate your API Key. Due to the widespread nature of the bug Symantec will be contacting end users directly with instructions on how to re-issue and revoke certificates.

Recommended Reading

Related Articles