Heartbleed Bug – Ensure You Are Protected
As many of you know, yesterday a widespread vulnerability to the OpenSSL library nicknamed “Heartbleed” was publicly disclosed. Soon after the information was released we tested and verified that our cloud portals were not affected by this potential threat. The Citrix interfaces used within the Zumasys hosted environment are not affected. The link below from Citrix elaborates. Microsoft web servers (ex. OWA – Outlook Web Access) are not affected, however, if there is a network device, such as a load balancer or appliance in front of the web server, that device could be affected.
We recommend that all websites hosted by customers be tested for this vulnerability and that corrective action be taken immediately if found. Note that patching affected versions of OpenSSL is not enough to cease any potential exploitation. All SSL certificates related to affected systems must be revoked and reissued and then any user passwords reset.
In addition to any websites you may host, you should also be requesting information from other online services you utilize. Prioritize based on the sensitivity of data – banking sites, payroll, other financial (401k/tax), etc. Any “web app” or “extranet” services your company uses needs to be verified. Any services that state they had to take corrective action can be independently verified by one of the tools below – and – by checking if their current SSL certificate has an “issued on” date of yesterday or today (4/9/14 – 4/10/14). It is very likely that they would also have requested (or forced) their users to reset passwords post-remediation.
This link can be used to check the vulnerability of the site: http://filippo.io/Heartbleed/. Unfortunately, not all scanning tools are an absolute guarantee that the site is not vulnerable. When in doubt, contact your provider directly.
For more information on how to ensure you are protected from this, please reference this aggregated list of what we believe to be the most relevant information to our customer base. If you have any questions or need assistance in identifying whether or not this impacts you please reach out to our support desk. We are here to assist with any questions you have.
- Main Heartbleed Info Website
- Additional Information
- Citrix
- VMware
- SANS Recap of Vendor Responses
- Testing Tools
- OpenSSL Version Info
- Commonly Affected Operating Systems
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug
http://en.wikipedia.org/wiki/Heartbleed_bug
http://www.npr.org/blogs/alltechconsidered/2014/04/09/301006236/what-to-do-now-that-the-heartbleed-bug-exposed-the-internet
http://www.cnbc.com/id/101566638
http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)