OpenSSL 'Heartbleed' Vulnerability

As many of you are aware, a critical security vulnerability has been identified pertaining to the OpenSSL 1.0.1 through 1.0.1f releases.  This is an industry wide security issue.  It is very important to identify and resolve this as soon as possible.  

Please find below the official release from the United States Computer Emergency Readiness Team:

 

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

· Primary key material (secret keys)

· Secondary key material (user names and passwords used by vulnerable services)

· Protected content (sensitive data used by vulnerable services)

· Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability. Additional details may be found in CERT/CC Vulnerability Note VU#720951.

 

How does this impact your Servosity servers?

All servers pertaining to the Professional and Standard software are not affected by this vulnerability. These servers are running an earlier version of OpenSSL that are not affected. The Servosity web portal has been checked for the issued vulnerabilities as well.