Call us: 0300 131 9609

Trustpilot

/ News / Heartbleed bug in OpenSSL made public

Blog

Heartbleed bug in OpenSSL made public

April 8, 2014/ Nick / News

*******

UPDATE  10th April 2014

We are aiming to have all managed and shared customers secured by the end of business today. We have seen issues with Litespeed needing a separate fix, this is now resolved

*******

Administrators should patch a severe flaw in a software library used by millions of websites to encrypt sensitive communications.

The flaw, called “Heartbleed,” is contained in several versions of OpenSSL. Most websites use either SSL or TLS.

The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday.

The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8, according to a special website set up by researchers who found the problem.

If exploited, the flaw could allow attackers to monitor all information passed between a user and a Web service or even decrypt past traffic they’ve collected.

“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” the researchers wrote.

The bug was discovered by three researchers from Codenomicon, a computer security company, and Neel Mehta, who works on security for Google.

Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2, they wrote.

OpenSSL also underpins two of the most widely used Web servers, Apache and nginx. The code library is also used to protect email servers, chat servers, virtual private networks and other networking appliances, they wrote.

The problem, CVE-2014-0160, is a missing bounds check in the handling of the TLS heartbeat extension, which can then be used to view 64K of memory on a connected server, according to another advisory.

It allows attackers to obtain the private keys used to encrypt traffic. With those keys, it is also possible for attackers to decrypt traffic they’ve collected in the past.

Attacks using the flaw “leaves no traces of anything abnormal happening to the logs,” .

Also see http://heartbleed.com/

Simple Servers administrators are actively applying this patch on shared and managed servers as a priority.

Author: Nick

Follow Nick on

More articles by

Related posts

Adobe to acquire Magento for $1.68B

Adobe to acquire Magento for $1.68B   Adobe announced today that it was acquiring Magento for $1.68 billion. The purchase gives Adobe a missing e-commerce platform piece that works...

New Year – New Opportunities

With the festive season firmly behind us and a very busy run up to Christmas it’s now time to look forward to an exciting new era at Simple Servers. We are...

Comments are currently closed.

top