Critical Security Notice for OpenSSL Heartbleed Vulnerability
To All Users,
The US Computer Emergency Readiness Team (US-CERT) have issued warnings on the vulnerability that found in OpenSSL versions 1.0.1 through 1.0.1f, and version 1.0.2-beta including version 1.0.2-beta1.
Original release date
8 April 2014
Description
This vulnerability allows remote hackers to retrieve sensitive information without authentication through incorrect memory handling in the TLS heartbeat extension. User authentication credentials and secret keys may then be disclosed to hackers.
The sensitive information that may be retrieved using this vulnerability include:
- Primary key material (secret keys)
- Secondary key material (user names and passwords used by vulnerable services)
- Protected content (sensitive data used by vulnerable services)
- Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)
Systems Affected
- OpenSSL 1.0.1 through 1.0.1f
- OpenSSL 1.0.2-beta (including 1.0.2-beta1)
Solution
Step 1: You can check if your web server is affected by this vulnerability through https://www.ssllabs.com/ssltest/. A warning as show below will be displayed if the webserver is affected:
Step 2: OpenSSL has released the latest patches to address this vulnerability, you can download the patched update fromhttps://www.openssl.org/source/.
- For OpenSSL version 1.0.1 (including 1.0.1f): Update to version 1.0.1g
- For OpenSSL version 1.0.2-beta (including 1.0.2-beta1) : To be fixed in version 1.0.2-beta2. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS .
- Details: https://www.openssl.org/news/secadv/20140407.txt
Step 3: Any keys generated with a vulnerable version of OpenSSL should be considered compromised, they should be regenerated and deployed after the patch has been applied.
References
Thank you for your attention. For further inquiries, please feel free to contact our Help Desk (Ext. 8600, Email: @).
Information and Communication Technology Office