This week a serious vulnerability in the OpenSSL cryptographic software library was discovered. This weakness, dubbed The Heartbleed Bug, allows a remote attacker to access system memory which may contain encryption keys, user credentials or other sensitive information.
OpenSSL provides communication security and privacy over the Internet for many applications, including web, email, instant messaging (IM) and some virtual private networks (VPNs).
Vendors are currently releasing patches to address this vulnerability. Please consult with your vendor and patch immediately.
In high risk areas (i.e. dealing with protected/regulated data) consider replacement of both keys and certificates. Some Certificate Authorities may charge a few to issue a new certificate.
What is the risk?
This bug can leave large amounts of sensitive data exposed to attackers. Exploitation of the Heartbleed bug leaves no trace, and thus requires us to take this exposure seriously.
In a worst-case scenario, leaked encryption keys allow an attacker to decrypt traffic, both current and past, to the protected services. An attacker may also impersonate the service at will.
If you require any assistance, please contact firstname.lastname@example.org.
Read the full story online.