Heartbleed Bug Security Advisory

Important Security Advisory Blog: Heartbleed Bug

April 08, 2014
Doug Beattie

A serious vulnerability named the Heartbleed bug was announced Monday night (04/07/2014) in OpenSSL* (version 1.01 and OpenSSL beta 1.0.2); the popular open source cryptographic library. If you are using Nginx or Apache there is a high probability that you are running OpenSSL. The Heartbleed vulnerability is something OpenSSL users should take very seriously as it enables an adversary to obtain data from portions of the web server memory.

This data can include sensitive material such as the server's private key, but is not limited to that, any data that is in memory on the server is at risk including sensitive customer data as well. This is not limited to web servers, if you use a SSL based VPN that leverages OpenSSL you may also be at risk. Access to this type of sensitive data creates a serious vulnerability because attackers can use it to decrypt past communications (when Perfect Forward Secrecy (PFS) is not configured), steal critical data and in the case of a private key compromise, enable the attacker to impersonate the associated server.

Resolution and Recommendations

We strongly recommend anyone using OpenSSL to:

Verify what version of OpenSSL they are using and upgrade their systems to the appropriate fix from OpenSSL.
Request a reissue (with new private key) for SSL Certificates that were installed on affected servers, install the new certificate, then request revocation of the old certificate.
Use GlobalSign's SSL Configuration Checker tool to test your server for the Heartbleed vulnerability

GlobalSign offers free reissues to its direct customers, so if you are a GlobalSign SSL customer affected by the Heartbleed bug, please see our support center for instructions on reissuing your SSL Certificate.

*OpenSSL is an open source implementation of the SSL and TLS protocols. For more information visit www.openssl.org\

Additional Resources

GlobalSign Support Article: Understanding if you're vulnerable and how to resolve
CA Security Council Blog: Heartbleed Bug Vulnerability: Discovery, Impact, and Solution
OpenSSL Security Advisory: https://www.openssl.org/news/secadv_20140407.txt
Heartbleed Advisory: http://www.heartbleed.com/

Subscribe for more great content

Management and Automation

Certificates

Compliance

Technology Alliances

Certificate Management and Automation

Document Signing

Custom CA/ Private PKI

Website & Server Security (SSL/TLS)

Access Control & Authentication

Signing Certificates

eIDAS

PSD2

NAESB

FDA Certificates

Belgian Government Services

Timestamping

Venafi as a Service

HashiCorp Vault

ServiceNow

cert-manager for Kubernetes

Adobe Acrobat

DocuSign

AppViewX

Important Security Advisory Blog: Heartbleed Bug

Search Blog

Resolution and Recommendations

Additional Resources

Recent Blogs

AI and Machine Learning: Transforming Digital Identity Security in 2024

Understanding Digital Connections: SSL in Hong Kong

Why Cheap Can Be Costly: The Hidden Dangers of Using Free SSL/TLS Certificates

Management and Automation

Certificates

Compliance

Technology Alliances

Certificate Management and Automation

Document Signing

Custom CA/ Private PKI

Website & Server Security (SSL/TLS)

Access Control & Authentication

Signing Certificates

Important Security Advisory Blog: Heartbleed Bug

Search Blog

Resolution and Recommendations

Additional Resources

Recent Blogs

GlobalSign Website in other regions/languages