What is Heartbleed?
This vulnerability takes advantage of a memory configuration within the ever-popular OpenSSL software library. The TLS heartbeat extension (RFC 6520) on an exploited version of OpenSSL allows an attacker to view up to 64k of what is in memory with each “heartbeat.” Thus, a multitude of information can be obtained unnoticed. It is important to note that this exploit is found in OpenSSL's implementation of SSL/TLS, not within the TLS protocol itself.
Why is this important?
SSL/TLS is the cornerstone of the Internet's means of encrypted transmission of data. We rely on websites to implement proper security measures when working with private information, e.g. bank accounts, medical records, social security numbers, and so on. OpenSSL is a widely used set of libraries that provides cryptographic services to many of these web servers. What makes this particular exploit interesting and very dangerous is that:
Whom does this affect?
So far, any company that provides services using non-patched OpenSSL to encrypt data can be vulnerable if proper measures of updating are not followed. Examples of this might include:
What is at stake?
How does this affect Green House Data's services?
We are actively pursuing efforts to mitigate any presence of vulnerable systems within Green House Data's cloud infrastructure. From what we have seen so far, these efforts are primarily focused on systems using OpenSSL to encrypt TLS connections. Green House Data provides service and customer portals that use SSL and have taken the necessary actions to secure our systems.
Those who take advantage of our managed services will be automatically patched during the regular patching cycle. We also provide proactive scanning of clients' systems for vulnerabilities and will notify if and when issues are found. We consider data security and integrity a high priority with every service we provide.
What steps can be taken to fix this?
References and Further Reading
To test your server against the bug:
Posted by: Systems Administrator Alex Kirby