This story has been updated to reflect new information.
OpenSSL, the open source toolkit implementing SSL v2/v3 and TLS v1 protocols, disclosed a new vulnerability on Monday which could be used to reveal up to 64KB of memory to a connected client or server. The issue affected OpenSSL version 1.0.1.
OpenSSL says that a “missing bounds check in the handling of the TLS heartbeat extension” allowed for this vulnerability.
According to a blog post by CloudFlare on Monday, it fixed the vulnerability last week for its customers before it was made public.
“OpenSSL is the core cryptographic library CloudFlare uses for SSL/TLS connections. If your site is on CloudFlare, every connection made to the HTTPS version of your site goes through this library,” Nick Sullivan, systems engineer, CloudFlare said. “As one of the largest deployments of OpenSSL on the Internet today, CloudFlare has a responsibility to be vigilant about fixing these types of bugs before they go public and attackers start exploiting them and putting our customers at risk.”
Sullivan said that this bug fix provides an example of its responsible disclosure policy. While more details of this policy are forthcoming, Sullivan says, it helps to “keep the Internet safe” by notifying appropriate stakeholders of the problem and giving them a chance to fix the vulnerability before it goes public.
CloudFlare encourages those running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected from this vulnerability.
OpenSSL keeps track of all of the security vulnerabilities fixed in released versions of OpenSSL on its website.
UPDATE 4/8/2014: Security researchers at Fox-IT have found a way to scrape Yahoo for usernames and passwords through the Heartbleed vulnerability.