A vulnerability CVE-2014-0160 which is known as Hearbleed Bug was released on 07 April 2014. The Heartbleed Bug is a serious vulnerability issue in the wildly used OpenSSL cryptographic software library. This issue allows stealing the information protected by SSL/TLS encryption used to secure the internet. This bug allows anyone on the internet to read the memory of the systems protected by vulnerable versions of Open SSL software. Hackers can view the sensitive information such as secret keys and passwords.
Is my server affected by this Bug?
Since Open SSL/TLS is widely used open source cryptographic software on the Internet, servers could have been compromised. This bug exposes systems to hackers who may view the information and their activity cannot have been identified.
Currently a tool has been available that allows users and systems administrators to check their websites or systems for vulnerability. If you are using Open SSL certificate, go to the Heartbleed test page and enter your website address or IP address and click Go button for vulnerability test. User can also find the source of this tool on GitHub. Please note that passing your website on the Heartbleed test page doesn’t mean your system is not vulnerable in another way. You have to recompile your software against new library.
What Versions of the OpenSSL are affected?
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
How to Protect My System?
We encourage all our customers to run software updates on their systems and recompile Open SSL software against vulnerable libraries. If you would like to know how to patch your systems and reissue certificates, please check our knowledge base.