On Monday evening, a security firm announced a new vulnerability in a key internet technology that can result in the disclosure of user passwords. This vulnerability is widespread and affects more than two-thirds of the web servers on the planet including top-tier sites like Yahoo and Amazon. If you have a secure (https) website hosted on a Linux/Unix servers using Apache or Nginx or any other service using OpenSSL, you are likely vulnerable.
For a detailed breakdown of this vulnerability, please see this site. This security vulnerability may affect up to two-thirds of all web servers. We urge you to assess your vulnerability immediately, and reach out for help.
How can I get help to fix this problem?
- Contact The Nerdery
- Contact your hosting provider
How can I see if my servers are vulnerable?
You can use this site to test your domains for the vulnerability. Enter the domain of your HTTPS web site. If you get a red positive result, you are vulnerable.
In addition, you can execute the following command on your servers to see if they are running a vulnerable version of OpenSSL: openssl version -a
If the version returned is 1.0.1, and its build date is before April 7th, 2014, you are vulnerable.
How can I fix it if I am vulnerable?
You will need to obtain a patched version of OpenSSL and install it on all vulnerable servers. Updated packages should be available for Debian, RedHat, Ubuntu, and CentOS via their package managers. If a package is not available for your platform, you can recompile the OpenSSL package (version 1.0.1g) with the NO_HEARTBEAT flag, which will disable this vulnerability. After updating, restart any services that are using SSL and re-test your domain using the link above (http://filippo.io/Heartbleed/).
For information on your specific Linux distribution see:
- Debian: https://www.debian.org/security/2014/dsa-2896
- Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/
- RedHat: https://access.redhat.com/site/announcements/781953
- CentOS: http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
Additionally, you should strongly consider changing passwords and/or resetting SSL certificates, but only after OpenSSL has been updated.
What is the vulnerability?
With the vulnerability, called Heartbleed, attackers can obtain sensitive information from servers running certain versions of OpenSSL. Examples of sensitive information include private encryption keys for SSL certificates, usernames/passwords, SSH private keys on those servers and more. Attackers which obtain the keys to your SSL certificates can then set up a man-in-the-middle attack between you and your customers and obtain secure information, such as credit card numbers and authentication credentials. The vulnerability was publicly disclosed Monday, 4/7/2014.
If you have any questions, please contact us, or ping your own go-to Nerdery contact right away. We’ll help analyze your risk and protect your data. If The Nerdery can be a resource to you in any way, we will.