Security Update: Critical Open SSL Vulnerability, Heartbleed
Date and Time
OpenSSL announced the release of 1.0.1g, which repairs a critical vulnerability, known as Heartbleed, in OpenSSL 1.0.1.
Advanced Users: For a complete description of the vulnerability visit The Heartbleed Blog at http://heartbleed.com/.
- OpenSSL 1.0.1 through 1.0.1f
WHAT'S THE PROBLEM?
By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension This may allow an attacker to decrypt traffic or perform other attacks.
WHAT TO DO TO FIX THE ISSUE
1. Affected users should upgrade to OpenSSL 1.0.1g.
2. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
3. Rekey your SSL:
a. Generate a new CSR
- Visit Comodo’s Knowledgebase on CSR Generation at https://support.comodo.com/index.php?_m=knowledgebase&_a=view&parentcategoryid=33
b. Submit a Service Now Ticket
App/Business Service = SSL Certificates
Symptom = Add/Install/Update
Short Description = Rekey SSL for (insert certificate name)
Description = Paste new CSR
Assignment Group = ITS_SP_Incident_Response
c. IT Security will update your current SSL with the new keys.
- OpenSSL heartbeat information disclosure at http://www.kb.cert.org/vuls/id/720951
- ITS Security & Policy at /security