Skip over navigation

News archive

Vulnerability in OpenSSL puts information at risk

It has recently been announced that over the past two years, the Open SSL library, used by a number of web server software products, has been vulnerable to attacks that exploit a flaw in the software that permits an attacker to view up to 64K of memory on systems running the software.  That 64K could include the encryption keys being used in SSL or TLS transmissions, meaning that protected communications, including the exchange of passwords and other confidential information, between client devices and the server could be captured and decrypted by the attacker.  Based upon posts and articles that we have reviewed, the extent to which the flaw has been exploited over the past two years is unknown.

All versions of OpenSSL from 1.0.1 through 1.0.1f contain the vulnerability, known as “Heartbleed”.  The recently released version 1.0.1g of OpenSSL corrects the flaw, and should be applied to systems using OpenSSL as soon as possible.

Since there is a possibility that a vulnerable server's private encryption keys may have been already compromised prior to the implementation of OpenSSL version 1.0.1g, it is strongly recommended that the server certificates on any server that has used a vulnerable version of OpenSSL be revoked and replaced with new certificates, but only after the OpenSSL software has been upgraded, so the new certificate keys are not exposed.

Anyone with SDP issued certificates (those from InCommon Federation), who wishes to renew their certificates, should generate a new Certificate Signing Request (CSR) asking SDP to issue a new certificate using the new CSR and to revoke the old certificate.  The requestor would just need to submit an OPM ticket to SDP-Incoming containing the CSR.

Additionally, since there is a possibility that the vulnerability may expose passwords entered into a vulnerable server's web sites, passwords that had been used to access vulnerable web sites should be changed after the servers and their certificates have been updated.

Further information about the flaw can be found at the following URLs: