"This server is vulnerable to Heartbleed. Update to the latest version of OpenSSL, replace the certificate on your web server or appliance, and reset end-user passwords that may have been visible in a compromised server memory."
The Heartbleed Bug is in the heartbeat extension of the OpenSSL cryptographic library. The cryptographic libraries in OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1 are vulnerable to the Heartbleed Bug attack. The Heartbleed Bug vulnerability is a weakness in the OpenSSL cryptographic library, which allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols.
OpenSSL is an open-source toolkit that implements the Secure Sockets Layer (SSL) and Transport Security Layer Security (TLS) protocols, including a cryptographic library that employs cryptographic functions and supplies different utility functions. This cryptographic library is commonly implemented by servers on the Internet to secure much of the Internet's traffic.
An attacker can use the Heartbleed Bug attack to gain access to:
When securing your environment against the Heartbleed Bug, you'll need to patch OpenSSL on servers running vulnerable versions of OpenSSL, and software using affected versions of the OpenSSL library.
Upgrade to the latest version of OpenSSL (version 1.0.1g or later).
You may need to restart your software after it is patched to make sure the OpenSSL library is reset, and the Heartbleed Bug is removed from cached memory.
If you're unable to upgrade to the latest version of OpenSSL:
Use DigiCert Discovery to rescan your environment to make sure you are no longer vulnerable to the Heartbleed Bug attack.
After installing reissued certificates, you need to revoke the certificates that were replaced. To get your certificates revoked, contact your Certificate Authority.
For DigiCert customers, email support at email@example.com. Make sure to include your certificate's order number and a brief description of what you want revoked.
If your servers accept passwords, you should also have your clients reset their passwords, but only after servers and software are patched and certificates are rekeyed, reissued, installed, and revoked.
If clients reset their passwords before servers/software are patched and certificates are rekeyed, reissued, installed, and revoked, then their passwords were still exposed, and they must reset their passwords again.