Security

OpenSSL Users Should Upgrade Now to Fix Heartbleed Security Bug

2 comments

This story has been updated to reflect new information.

OpenSSL, the open source toolkit implementing SSL v2/v3 and TLS v1 protocols, disclosed a new vulnerability on Monday which could be used to reveal up to 64KB of memory to a connected client or server. The issue affected OpenSSL version 1.0.1.

OpenSSL says that a “missing bounds check in the handling of the TLS heartbeat extension” allowed for this vulnerability.

According to a blog post by CloudFlare on Monday, it fixed the vulnerability last week for its customers before it was made public.

“OpenSSL is the core cryptographic library CloudFlare uses for SSL/TLS connections. If your site is on CloudFlare, every connection made to the HTTPS version of your site goes through this library,” Nick Sullivan, systems engineer, CloudFlare said. “As one of the largest deployments of OpenSSL on the Internet today, CloudFlare has a responsibility to be vigilant about fixing these types of bugs before they go public and attackers start exploiting them and putting our customers at risk.”

Sullivan said that this bug fix provides an example of its responsible disclosure policy. While more details of this policy are forthcoming, Sullivan says, it helps to “keep the Internet safe” by notifying appropriate stakeholders of the problem and giving them a chance to fix the vulnerability before it goes public.

CloudFlare encourages those running a server that uses OpenSSL to upgrade to version 1.0.1g to be protected from this vulnerability.

OpenSSL keeps track of all of the security vulnerabilities fixed in released versions of OpenSSL on its website.

In January, insecure passwords at the web hosting provider for OpenSSL were blamed for an attack where hackers defaced its homepage.

UPDATE 4/8/2014: Security researchers at Fox-IT have found a way to scrape Yahoo for usernames and passwords through the Heartbleed vulnerability.

For more on how service providers are handling the Heartbleed vulnerability, check out our Storify

Add Your Comments

  • (will not be published)

2 Comments

  1. I found a Firefox tool that can help the user know if the site is at risk -> http://www.proactiverisk.com/home/proactivetools

    Reply
  2. I made a tool to check the status of your SSL and see if heartbeat is enabled. If it is, you should run this command: openssl version -a Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1 Tool at: http://rehmann.co/projects/heartbeat/

    Reply