Tech: OpenSSL / Heartbleed issue

Posted on 08 April 2014 - Announcement
Tibus BY Tibus

The issue

Vulernability in OpenSSL. OpenSSL is an open source implementation of Transport Layer Security/Secure Sockets Layer (TLS/SSL) specifically in the 'Heartbeat' extension to the protocol. TLS/SSL is the standard used to secure lots of communication across the Internet such as Web, FTP, Postfix, Apache and E-Mail.
 

The vulnerability allows a potential attacker to extract content of the memory of an affected server. This might include passwords, usernames and even importantly private encryption keys, which are used server-side to provide encryption.
 

Why it matters

There is a very serious risk of information disclosure. If a private key is disclosed, an attacker could masquerade as the site in question leading to potential data theft.
 

What it affects

All products that use the OpenSSL 1.0.1 and 1.0.2 versions where the Heartbeat extension. e.g. mod_ssl in apache, postfix for secure mail.

It does not affect older versions:

OpenSSL 1.0.1 to 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
 

Tibus action…

•    Evaluating impact upon our server estate to find likely affected hosts
•    Performing testing to see hosts we identify are vulnerable. These scripts are written and in test.
•    Performing upgrades where applicable
 

Next steps

If you are a customer we will perform necessary actions on your behalf.
Where we can’t complete this, or believe the impact of those actions to be service affecting, we will get in touch with you.

If you are not a customer but have any questions, please feel free to email us or call us www.tibus.com/contact   
 

More information

BACKGROUND ON THE REGISTER

ACTUAL BUG AND RELEASE NOTES