OpenSSL Heartbleed exploit and what it means for you (CVE-2014-0160)
PostedThursday April 10th 2014
At the start of this week there was an OpenSSL vulnerability that was made public which effectively allowed hackers to be able to dump 64kb worth of content sitting in the server memory. This memory is often used to store private keys and other private information.
For those that are unaware, OpenSSL is the cryptographic library that is used to secure a very large percentage of the Internet’s traffic (including services with majority of web hosting providers around the world, including VentraIP Australia).
Whilst there is no proof of concept showing that private keys for SSL certificates could be leaked in their entirety using this vulnerability, the threat definitely exists and could potentially allow users to decrypt SSL encrypted data (which is especially bad for credit card transactions).
We would also like to stress that we have no reason to believe that any data has been breached from any of our infrastructure.
To mitigate this and protect our clients, we have upgraded OpenSSL on all our shared hosting servers and have recompiled Apache & PHP. For our Business cPanel Webhosting clients we have updated to the latest release of LiteSpeed to patch the potentially destructive vulnerability.
Clients with a cPanel VPS should have received the OpenSSL update through the nightly cPanel update function, however, you can complete a few easy steps via SSH to force an update to the OpenSSL library:
yum clean all && yum update openssl -y
service httpd stop
service httpd start
Whilst we have no reason to believe that any data was breached, we suggest all clients rotate their passwords – and ensure that they don’t use the same password across multiple websites.
For clients that wish to have their SSL certificate ‘rekeyed’ — which is the process of generating a new private key for your existing SSL certificate (what is used to decrypt secure information) — then our technical support team will be more than happy to assist with this via eTicket through VIPControl.
All of VentraIP Australia’s corporate SSL certificates – including VIPControl, Order Forms & website – have been rekeyed to ensure maximum security for our clients.
As we have no reason to believe that there was any breach to our infrastructure, we will not be terminating any VIPControl client sessions, however, clients who have active sessions can use the ‘Logout’ button and then login again to re-establish a new session.
You can find more information on the OpenSSL Heartbleed exploit online at Codenomicon’s heartbleed.com website.