Update @UTC 2014-04-15 0326: ran a scan on IPs in our network.  And will be emailing customers who appear to be currently affected.

Heartbleed Bug CVE-2014-0160

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library
CVE-2014-0160 (Common Vulnerabilities and Exposures) is the official reference to this bug

It can result in private keys (e.g. ssl keys) being exposed.

Further reading

http://heartbleed.com/

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

Distro specific information

Debian: https://security-tracker.debian.org/tracker/CVE-2014-0160 (versions prior to Debian 7 Wheezy are unaffected)

Centos: http://lists.centos.org/pipermail/centos-announce/2014-April/020248.html (all version prior to 6.5 are unaffected)

Ubuntu: http://askubuntu.com/questions/444702/how-to-patch-cve-2014-0160-in-openssl (all versions prior to 12.04 are unaffected)

What versions of the OpenSSL are affected?
Status of different versions:
• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
• OpenSSL 1.0.1g is NOT vulnerable (this is the bug fix released 7th of April 2014)
• OpenSSL 1.0.0 branch is NOT vulnerable
• OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012.Patch OpenSSL 1.0.1g was released on 7th of April 2014 which fixes the bug.

This means the bug has been out in the wild for over 2 years, but is only now becoming widely known and all clients servers need to be tested

Version checking

Online checking site here: http://filippo.io/Heartbleed

To see which openssl version you are using, run the command:
openssl version

Note that the version output is not always a good way to test (since distros will backport the fix and that fix will sometimes not affect the reported version or version date).

Check the package version you are running with a command like dpkg -l | grep openssl

For a completely accurate test use the command line tool here
https://github.com/FiloSottile/Heartbleed

Patching the bug

In most cases you can fix the issue by just upgrading to your distro's latest package version:
apt-get update && apt-get install openssl libssl1.*
or: yum upgrade openssl

Even better, run a yum upgrade or apt-get install update to get all of your distro packages up to date.

Restart applications that may be using openssl.  e.g. Apache, email servers, etc.  Better still, restart your server.

Alternatively lodge a ticket and request we check and patch your server

This week (while we will be busy with a number of fixes) there is a one off USD 10 service per dedicated or virtual server only if it is found to have the OpenSSL vulnerability in which case we will take the following action:

1. Update OpenSSL to your distro's latest version (plus other packages required for the upgrade to complete).
2. Reboot the server to load the new OpenSSL version

Please subscribe to this notice.  We will update this notice with more information as it comes to hand.  Hopefully including tips and tricks (aka scripts) to ease the problem identification and openssl upgrades.