OpenSSL vulnerability – Heartbleed Bug statement

Posted on by Simona

You might think the Heartbleed bug is already history, but in recent days some of our customers have requested a public announcement due to the unprecedented media profile of this particular security vulnerability.

Whilst the media are (rightly, to an extent) making a lot of noise about this bug and its significance to the Internet population at large, the truth is we as sysadmins haven’t treated this security threat any differently to any other.

heartbleedThere are lots of important security vulnerabilities uncovered which have the potential to give an attacker full access to your server (arguably more serious than this case) – so we patch and workaround security vulnerabilities on an almost daily basis as part of our fully managed service. There is simply no reason or benefit to announce each and every one of these – our customers use our service to stay focused on their business rather than technical details like these.

Our expert technical team are always there in the background, performing server tune-ups to ensure that the configuration is optimal and secure at all times, so that you don’t have to.

If you somehow managed to miss the media coverage and the myriad of announcements and emails in your inbox about the Heartbleed bug, you can find more details regarding this vulnerability alert issued by the OpenSSL group on April 7, 2014: http://heartbleed.com/

Some of the services that we provide were using software vulnerable to this bug and therefore we have taken the necessary steps to address this:

Managed VPS, Cloud VPS, and Dedicated servers

These servers are based on CentOS Enterprise Linux, which uses Red Hat Enterprise Linux as its upstream. The vulnerability was introduced to Red Hat / CentOS in version 6.5 released in December 2013. Consequently new servers provisioned after this date were vulnerable to Heartbleed.

Our engineering team installed a number of critical security updates and regular updates (including RHSA-2014:0376-1, CVE-2014-0160) on all affected servers during an emergency maintenance window at the beginning of last week.

The emergency maintenance was completed successfully without incident.

Jelastic PaaS

Jelastic servers are based on CentOS 5 which was not affected by Heartbleed. CentOS 5 has long-term support for an older version of OpenSSL (0.9.8e) with selected and carefully tested patches backdated to the older version from newer versions of OpenSSL and the patches did not include the vulnerable code.

SSL certificates

If your services were affected by this bug, it is recommended to reissue your SSL certificates using a new key. If your SSL certificate was purchased via Layershift, we will be happy to assist you with this process, please contact us via www.layershift.com/support