Skip to main content

Heartbleed bug

Related error

"This server is vulnerable to Heartbleed. Update to the latest version of OpenSSL, replace the certificate on your web server or appliance, and reset end-user passwords that may have been visible in a compromised server memory."

Problem

The Heartbleed bug is in the heartbeat extension of the OpenSSL cryptographic library. The cryptographic libraries in OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1 are vulnerable to this attack. The Heartbleed bug vulnerability is a weakness in the OpenSSL cryptographic library, which allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols.

Notice

OpenSSL is an open-source toolkit that implements Secure Sockets Layer (SSL) and Transport Security Layer Security (TLS) protocols. It includes a cryptographic library that employs cryptographic functions and supplies different utility functions. This cryptographic library is commonly implemented by servers on the Internet to secure much of the Internet's traffic.

An attacker can use the Heartbleed bug attack to gain access to:

  • Encryption keys

    The attacker can use these keys to decrypt past and future secure communications to your website and impersonate your website at any time.

  • User credentials

    The attacker can use your customers’ user names and passwords to access their information secured by your website.

  • Protected content

    The attacker can access personal or financial details, private communications (email or instant messages), and documents.

  • Collateral

    The attacker can access leaked memory content, such as memory address and security measures.

Solution

Patch software

When securing your environment against the Heartbleed bug, you need to patch OpenSSL on servers running vulnerable versions of OpenSSL, and software using affected versions of the OpenSSL library.

Upgrade to the latest version of OpenSSL (version 1.0.1g or later).

  • Servers

    Check your package manager for an updated OpenSSL package and install it. If you don't have an updated OpenSSL package, obtain the latest version of OpenSSL from your service provider.

  • Software

    Check for software patches released to fix the Heartbleed bug vulnerability and install them. If you don't have software patches, contact your software vendor to obtain the latest patch and install it.

Note

You might need to restart your software after it is patched to make sure the OpenSSL library is reset, and the Heartbleed bug is removed from cached memory.

If you're unable to upgrade to the latest version of OpenSSL:

  • Roll back to OpenSSL version 1.0.0 or earlier.

  • Recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.

Verify vulnerabilities are patched

Use DigiCert Discovery to rescan your environment to make sure you are no longer vulnerable to the Heartbleed bug attack.

Rekey, reissue, and install certificates

  • Rekey and reissue all the certificates on your affected servers. When reissuing certificates, make sure to generate new certificate signing requests (CSRs). See Create a CSR.

  • After servers and software are patched (and only after they are patched), install your reissued certificates.

Revoke replaced certificates

After installing reissued certificates, you need to revoke the certificates that were replaced. To get your certificates revoked, contact your Certificate Authority.

For DigiCert customers, email support. Make sure to include your certificate's order number and a brief description of what you want revoked.

Reset passwords

If your servers accept passwords, you should also have your clients reset their passwords, but only after servers and software are patched and certificates are rekeyed, reissued, installed, and revoked.

Notice

If clients reset their passwords before servers or software are patched and certificates are rekeyed, reissued, installed, and revoked, then their passwords would still be exposed. They must reset their passwords again.