This blog entry will attempt to offer some current info (and a little background) on the OpenSSL heartbleed vulnerability that became known to the public late in the day on April 7.
Initial announcement – At approximately 5 p.m. Pacific time on Monday, April 7, a vulnerability was identified in the versions 1.0.1 through 1.0.1f of the Open Source Secure Socket Layer library known as OpenSSL. The vulnerability affected approximately 66 percent of the webservers in operation (predominately Apache and nginx). An updated version (version 1.0.1g) was released on April 7 addressing the vulnerability. The vulnerability was officially known as CVE-2014-0160.
As the vulnerability had been in a large number of previous versions of OpenSSL, it had been potentially exploitable for almost 2 years. In addition to potentially exposing user logon IDs and passwords, SSL private encryption keys could have obtained by unauthorized individuals.
Due to the widespread deployment of the Open Source libraries, the condition will require large scale remediation efforts on the part of the system administrators. Following the application of the updated version of OpenSSL, system administrators might need to revoke existing Secure Socket Layer site certifications and have new ones reissued and installed. Following that, users of these systems should update their logon ID password.
The impact to AgriLife IT resources has been minimal. No production Internet accessible systems were using the vulnerable OpenSSL libraries.
Information on the impact and remediation efforts of banks, and various financial institutions continues to become available. Please see some of the links below to determine if a company you do online business with might have been involved.