Earlier this week, security researchers announced a vulnerability (known as “Heartbleed Bug”) in OpenSSL, a widely-used opensource cryptographic software library. It can allow attackers to read the memory of the systems using vulnerable versions of OpenSSL library (1.0.1 through 1.0.1f). This may disclose the secret keys of vulnerable servers, which allows attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed, which could include usernames and passwords of users or other data stored in server memory.
To be clear, this is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS, nor certificates issued by Symantec or GeoTrust.
Here are steps to fix this bug:
- Identify if your web servers are vulnerable (running OpenSSL versions 1.0.1 through 1.0.1f with heartbeat extension enabled). If you’re running a version of OpenSSL prior to 1.0.1, no further action is required.
- If your server is impacted, update to the latest patched version of OpenSSL (1.0.1g).
- Generate a new Certificate Signing Request (CSR).
- Reissue any SSL certificates for affected web servers using the new CSR (do this after moving to a patched version of OpenSSL).
- Install the new SSL certificate.
- Website administrators should also consider resetting end-user passwords that may have been visible in a compromised server memory.
Hope you will save in this storm.