it.ucsf.edu

Security Update: Critical Open SSL Vulnerability, Heartbleed

Status Type

Security Update

Date and Time

Tuesday, April 8, 2014 - 16:58

Reason

Security Update

Impact

OpenSSL 1.0.1 through 1.0.1f users

WHAT HAPPENED?

OpenSSL announced the release of 1.0.1g, which repairs a critical vulnerability, known as Heartbleed, in OpenSSL 1.0.1.

Advanced Users: For a complete description of the vulnerability visit The Heartbleed Blog at http://heartbleed.com/.

 

AFFECTED VERSIONS:

  • OpenSSL 1.0.1 through 1.0.1f


WHAT'S THE PROBLEM?

By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension This may allow an attacker to decrypt traffic or perform other attacks.

 

WHAT TO DO TO FIX THE ISSUE

1. Affected users should upgrade to OpenSSL 1.0.1g.

2. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

3. Rekey your SSL:

a. Generate a new CSR

b. Submit a Service Now Ticket


App/Business Service = SSL Certificates
Symptom = Add/Install/Update
Short Description = Rekey SSL for (insert certificate name)
Description = Paste new CSR
Assignment Group = ITS_SP_Incident_Response

 

c.      IT Security will update your current SSL with the new keys.

 

RELATED LINKS