A serious vulnerability named the Heartbleed bug was announced Monday night (04/07/2014) in OpenSSL* (version 1.01 and OpenSSL beta 1.0.2); the popular open source cryptographic library. If you are using Nginx or Apache there is a high probability that you are running OpenSSL. The Heartbleed vulnerability is something OpenSSL users should take very seriously as it enables an adversary to obtain data from portions of the web server memory.
This data can include sensitive material such as the server's private key, but is not limited to that, any data that is in memory on the server is at risk including sensitive customer data as well. This is not limited to web servers, if you use a SSL based VPN that leverages OpenSSL you may also be at risk. Access to this type of sensitive data creates a serious vulnerability because attackers can use it to decrypt past communications (when Perfect Forward Secrecy (PFS) is not configured), steal critical data and in the case of a private key compromise, enable the attacker to impersonate the associated server.
Resolution and Recommendations
We strongly recommend anyone using OpenSSL to:
- Verify what version of OpenSSL they are using and upgrade their systems to the appropriate fix from OpenSSL.
- Request a reissue (with new private key) for SSL Certificates that were installed on affected servers, install the new certificate, then request revocation of the old certificate.
- Use GlobalSign's SSL Configuration Checker tool to test your server for the Heartbleed vulnerability
GlobalSign offers free reissues to its direct customers, so if you are a GlobalSign SSL customer affected by the Heartbleed bug, please see our support center for instructions on reissuing your SSL Certificate.
*OpenSSL is an open source implementation of the SSL and TLS protocols. For more information visit www.openssl.org\
- GlobalSign Support Article: Understanding if you're vulnerable and how to resolve
- CA Security Council Blog: Heartbleed Bug Vulnerability: Discovery, Impact, and Solution
- OpenSSL Security Advisory: https://www.openssl.org/news/secadv_20140407.txt
- Heartbleed Advisory: http://www.heartbleed.com/