On April 7, 2014, a bug in the OpenSSL software library was announced by the OpenSSL organization. This bug, called Heartbleed, impacts versions 1.0.1 through 1.0.1f of OpenSSL.
Heartbleedis not an SSL bug or flaw with the SSL/TLS protocol — it's a bug in OpenSSL’s implementation of SSL/TLSwhich servers rely on to create secured connections online.Heartbleed affects nearly two-thirds of servers on the Internet. Chances are you administer a server affected by the Heartbleed bug or have received an email notification to update passwords because of the effect of Heartbleed.
According to the , whoseengineers were among those who discovered Heartbleed:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
A few things that set Heartbleed apart from other bugs are:
The versions of OpenSSL that are vulnerable to Heartbleed are 1.0.1through 1.0.1f, and 1.0.2-beta1. The 1.0.0 branch and earlier were not vulnerable, and the 1.0.1g version released yesterday fixes the vulnerability. (Version 1.0.2-beta2 will include the fix.)
If your servers do not use version 1.0.1 through 1.0.1f or 1.0.2-beta1 of OpenSSL, or if they are compiled without the heartbeat extension, they are not vulnerable to Heartbleed.
Microsoft-based platforms, not utilizing OpenSSL are unaffected by Heartbleed. Java along with many other servers and network devices not use OpenSSL. Although some devices can still rely on OpenSSL, so it's best to contact your device manufacturer or the TV 24/7 Technical Support team to verify if you're vulnerable to Heartbleed.If you are using keystores and truststores, you most likely areusing JSSE rather than OpenSSL and are not vulnerable to Heartbleed.
If you're unsure whether a site you administer or use is vulnerable, you can usethe TV Certificate Checker tool for free on by going todigicert.com/help. The TV Certificate Checker allows users to check the security for any site on the Internetusing an SSL Certificates from anyCertificate Provider.
Although thereare no documented cases of Heartbleed being exploited to date, because theattack is undetectable, it is impossible to say that no attempt has been made. Compromised data has yet to be linked to Heartbleed, butif your server is running a version of OpenSSL between 1.0.1 and 1.0.1f with the heartbeat extension enabled, you are potentially vulnerable to Heartbleed and should take the steps below to address it.
If you have any question as to whether you are vulnerable, the latest version of TV’s free Certificate Inspector has added Heartbleed to the lengthy list of vulnerabilities it can detect. To learn more and get access to this tool, visit/heartbleed-bug-vulnerability.htm.
If you are vulnerable to Heartbleed, there are two steps you need to take:
The order of these steps is very important — it's critical that you stop the bleedingbefore addressing the possible damage — but both steps need to be done as quickly as possible.
There are two three (see update below) options for updating your server. You can either update to OpenSSL version 1.0.1g, or you can recompile your existing version of OpenSSL with -DOPENSSL_NO_HEARTBEATS
. Neither option is inherently better than the other; different dependencies and situations call for different solutions. But you should take one of these actions immediately.
The first step, whether you are a TV customer or not, is to create a new key pair and Certificate Signing Request. TV has a very useful free tool to quickly create CSR creation commands. The last thing you want to do when quickly trying to address Heartbleed is fumble with complicated shell commands. The TV Easy CSR for Apache and Exchange CSR Command Generator make it easy to re-key or create a new a new SSL Certificate.These tools are available to anyone, whether using TV or another SSL Certificate provider.
If you are a TV customer, re-keying is always free, easy, and nearly instantaneous. Here are the steps:
You will need to re-key every certificate that has been on a vulnerable server.
Now that Heartbleed has been made public, if you use one of the affected versions of OpenSSL, it is important that you address the issue.
The TV team is always available 24/7 to provide any assistance you may need in re-keying your TV certificates or answer any questions about Heartbleed. As a TV policy, any SSL user, whether a TV customer or not, can call, email, or live chat with us by visiting our Contact page at .