[SingCERT] OpenSSL Heartbleed Bug - Updated Information

Published on Friday, 02 May 2014 14:27

[ Background ]

A serious bug has been discovered in OpenSSL, a cryptographic software library.

A bug was discovered in OpenSSL which could lead to unauthorised access to confidential data. Some examples of information that could be stolen include secret keys for the X.509 certificates, usernames and passwords.


[ Affected Software ]

  • All versions of OpenSSL 1.0.1 prior to 1.0.1g
  • All versions of OpenSSL 1.0.2-beta prior to 1.0.2-beta2


[ Recommendations ]

For Website Owners

Upgrade OpenSSL to to OpenSSL 1.0.1g (for websites using OpenSSL 1.0.1) or OpenSSL 1.0.2-beta2 (for websites using OpenSSL 1.0.2-beta) immediately.

If upgrading OpenSSL is not possible, website owners are to recompile OpenSSL using -DOPENSSL_NO_HEARTBEATS switch.

Website owners should also check with their IDS/IPS vendors if signatures are available to detect/block such attacks. 

For system owners using VMware products

  • Deploy the VMware product update or product patches
  • Replace certificates per the product-specific documentation
  • Reset passwords per the product-specific documentation

For End Users

Users are advised to heed the instructions of your service providers (e.g. email) or ISPs if contacted to take precautionary or remediation actions.

You can also refer to SingCERT advisory http://www.singcert.org.sg/alerts/21-latest/608-singcert-updates-for-openssl-heartbleed-vulnerabilty-for-end-users

 

[ References ]