Security advisory: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

As you may be aware, a vulnerability was disclosed in the popular OpenSSL library that allows a remote attacker to read memory directly from an affected server, potentially compromising cryptographic keys, passwords and other sensitive information. 

This has been widely covered in the news over the last few days and is serious enough that even after patching the affected software, customers may need to take additional steps to ensure the security of their data. 

For additional information please see http://www.heartbleed.com 

- Who is affected? 

This bug affects OpenSSL's implementation of the TLS heartbeat extension, and was introduced to the main OpenSSL build as part of release 1.0.1 on the 14th of March 2012. Version 1.0.1g released on 7th of April 2014 fixes the bug. 

The following versions of OpenSSL are vulnerable: 

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable 
OpenSSL 1.0.1g is NOT vulnerable 
OpenSSL 1.0.0 branch is NOT vulnerable 
OpenSSL 0.9.8 branch is NOT vulnerable 

Both Linux and Windows releases of OpenSSL are affected. 

Only users who have compiled OpenSSL themselves with the -DOPENSSL_NO_HEARTBEATS' flag were not vulnerable to this attack, even if using one of the above versions. However, this is not standard. 

- What steps must I take to fix this? 

Updating OpenSSL to the latest version will prevent installations being exploited in this manner. Linux users should simply download their distribution's latest security updates, as this has now been patched in all major distributions. 

However, this is a very serious leak and if you have been vulnerable, you should consider that an attacker may have gained access to sensitive information including passwords and private keys. The attack in question does not leave any trace, and it is impossible to know whether or not you have been compromised in this way. 

Attacks are not necessarily limited to data owned or used by the OpenSSL library, and server owners should consider that all administrative and user data may have been vulnerable. 

It is recommended to revoke any SSL certificates that were in use with vulnerable versions of the software, and to change all user and administrator passwords. Depending on your applications, you may wish to change other sensitive data as well. 

- What steps do I need to take to protect my data? Is Go2Cloud affected by this? 

We have determined that Go2Cloud's infrastructure was not using the vulnerable version of OpenSSL, and we will NOT be revoking our certificates or forcing users to change their passwords or API keys. 

However, it is recommended that any user of a site that was vulnerable to the Heartbleed bug should consider their data potentially compromised and change all keys in use on the affected site. 

If your Go2Cloud account shares a password with another site or your API key is stored on a server that may have been affected, you should change these immediately. All passwords can be changed and API keys regenerated from the 'Profile' page of your account