Heartbleed bug

"This server is vulnerable to Heartbleed. Update to the latest version of OpenSSL, replace the certificate on your web server or appliance, and reset end-user passwords that may have been visible in a compromised server memory."

Problem

The Heartbleed Bug is in the heartbeat extension of the OpenSSL cryptographic library. The cryptographic libraries in OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1 are vulnerable to the Heartbleed Bug attack. The Heartbleed Bug vulnerability is a weakness in the OpenSSL cryptographic library, which allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols.

OpenSSL is an open-source toolkit that implements Secure Sockets Layer (SSL) and Transport Security Layer Security (TLS) protocols. It includes a cryptographic library that employs cryptographic functions and supplies different utility functions. This cryptographic library is commonly implemented by servers on the Internet to secure much of the Internet's traffic.

An attacker can use the Heartbleed Bug attack to gain access to:

  • Encryption keys
    The attacker can use these keys to decrypt past and future secure communications to your website and impersonate your website at any time.
  • User credentials
    The attacker can use your customers’ user names and passwords to access their information secured by your website.
  • Protected Content
    The attacker can access personal or financial details, private communications (email or instant messages), and documents.
  • Collateral
    The attacker can access leaked memory content, such as memory address and security measures.

Solution

Patch software

When securing your environment against the Heartbleed Bug, you need to patch OpenSSL on servers running vulnerable versions of OpenSSL, and software using affected versions of the OpenSSL library.

Upgrade to the latest version of OpenSSL (version 1.0.1g or later).

  • Servers
    Check your package manager for an updated OpenSSL package and install it. If you don't have an updated OpenSSL package, obtain the latest version of OpenSSL from your Service Provider.
  • Software
    Check for software patches released to fix the Heartbleed Bug vulnerability and install them. If you don't have software patches, contact your software vendor to obtain the latest patch and install it.
    Note: You may need to restart your software after it is patched to make sure the OpenSSL library is reset, and the Heartbleed Bug is removed from cached memory.

You might need to restart your software after it is patched to make sure the OpenSSL library is reset, and the Heartbleed Bug is removed from cached memory.

If you're unable to upgrade to the latest version of OpenSSL:

  • Rollback to OpenSSL version 1.0.0 or earlier.
  • Recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.

Verify Heartbleed Bug vulnerabilities are patched

Use DigiCert Discovery to rescan your environment to make sure you are no longer vulnerable to the Heartbleed Bug attack.

Rekey, reissue, and install certificates

  • Rekey and reissue all the certificates on your affected servers.
    When reissuing certificates, make sure to generate new certificate signing requests (CSRs). See Create a CSR.
  • After servers and software are patched (and only after they are patched), install your reissued certificates.

Revoke replaced certificates

After installing reissued certificates, you need to revoke the certificates that were replaced. To get your certificates revoked, contact your Certificate Authority.

For DigiCert customers, email support at support@digicert.com. Make sure to include your certificate's order number and a brief description of what you want revoked.

Reset passwords

If your servers accept passwords, you should also have your clients reset their passwords, but only after servers and software are patched and certificates are rekeyed, reissued, installed, and revoked.

If clients reset their passwords before servers or software are patched and certificates are rekeyed, reissued, installed, and revoked, then their passwords would still be exposed. They must reset their passwords again.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.