Heartbleed Bug – Ensure You Are Protected

As many of you know, yesterday a widespread vulnerability to the OpenSSL library nicknamed “Heartbleed” was publicly disclosed. Soon after the information was released we tested and verified that our cloud portals were not affected by this potential threat. The Citrix interfaces used within the Zumasys hosted environment are not affected. The link below from Citrix elaborates. Microsoft web servers (ex. OWA – Outlook Web Access) are not affected, however, if there is a network device, such as a load balancer or appliance in front of the web server, that device could be affected.

A large portion of the public internet is believed to require patching to remediate this flaw.

heartbleed

We recommend that all websites hosted by customers be tested for this vulnerability and that corrective action be taken immediately if found. Note that patching affected versions of OpenSSL is not enough to cease any potential exploitation. All SSL certificates related to affected systems must be revoked and reissued and then any user passwords reset.

In addition to any websites you may host, you should also be requesting information from other online services you utilize. Prioritize based on the sensitivity of data – banking sites, payroll, other financial (401k/tax), etc. Any “web app” or “extranet” services your company uses needs to be verified. Any services that state they had to take corrective action can be independently verified by one of the tools below – and – by checking if their current SSL certificate has an “issued on” date of yesterday or today (4/9/14 – 4/10/14). It is very likely that they would also have requested (or forced) their users to reset passwords post-remediation.

This link can be used to check the vulnerability of the site: http://filippo.io/Heartbleed/. Unfortunately, not all scanning tools are an absolute guarantee that the site is not vulnerable. When in doubt, contact your provider directly.

For more information on how to ensure you are protected from this, please reference this aggregated list of what we believe to be the most relevant information to our customer base. If you have any questions or need assistance in identifying whether or not this impacts you please reach out to our support desk. We are here to assist with any questions you have.