The issue
Vulernability in OpenSSL. OpenSSL is an open source implementation of Transport Layer Security/Secure Sockets Layer (TLS/SSL) specifically in the 'Heartbeat' extension to the protocol. TLS/SSL is the standard used to secure lots of communication across the Internet such as Web, FTP, Postfix, Apache and E-Mail.
The vulnerability allows a potential attacker to extract content of the memory of an affected server. This might include passwords, usernames and even importantly private encryption keys, which are used server-side to provide encryption.
Why it matters
There is a very serious risk of information disclosure. If a private key is disclosed, an attacker could masquerade as the site in question leading to potential data theft.
What it affects
All products that use the OpenSSL 1.0.1 and 1.0.2 versions where the Heartbeat extension. e.g. mod_ssl in apache, postfix for secure mail.
It does not affect older versions:
OpenSSL 1.0.1 to 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Tibus action…
• Evaluating impact upon our server estate to find likely affected hosts
• Performing testing to see hosts we identify are vulnerable. These scripts are written and in test.
• Performing upgrades where applicable
Next steps
If you are a customer we will perform necessary actions on your behalf.
Where we can’t complete this, or believe the impact of those actions to be service affecting, we will get in touch with you.
If you are not a customer but have any questions, please feel free to email us or call us www.tibus.com/contact
More information