Heartbleed bug
Related error
"This server is vulnerable to Heartbleed. Update to the latest version of OpenSSL, replace the certificate on your web server or appliance, and reset end-user passwords that may have been visible in a compromised server memory."
Problem
The Heartbleed bug is in the heartbeat extension of the OpenSSL cryptographic library. The cryptographic libraries in OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2-beta1 are vulnerable to this attack. The Heartbleed bug vulnerability is a weakness in the OpenSSL cryptographic library, which allows an attacker to gain access to sensitive information that is normally protected by the SSL and TLS protocols.
Notice
OpenSSL is an open-source toolkit that implements Secure Sockets Layer (SSL) and Transport Security Layer Security (TLS) protocols. It includes a cryptographic library that employs cryptographic functions and supplies different utility functions. This cryptographic library is commonly implemented by servers on the Internet to secure much of the Internet's traffic.
An attacker can use the Heartbleed bug attack to gain access to:
Encryption keys
The attacker can use these keys to decrypt past and future secure communications to your website and impersonate your website at any time.
User credentials
The attacker can use your customers’ user names and passwords to access their information secured by your website.
Protected content
The attacker can access personal or financial details, private communications (email or instant messages), and documents.
Collateral
The attacker can access leaked memory content, such as memory address and security measures.
Solution
Patch software
When securing your environment against the Heartbleed bug, you need to patch OpenSSL on servers running vulnerable versions of OpenSSL, and software using affected versions of the OpenSSL library.
Upgrade to the latest version of OpenSSL (version 1.0.1g or later).
Servers
Check your package manager for an updated OpenSSL package and install it. If you don't have an updated OpenSSL package, obtain the latest version of OpenSSL from your service provider.
Software
Check for software patches released to fix the Heartbleed bug vulnerability and install them. If you don't have software patches, contact your software vendor to obtain the latest patch and install it.
Note
You might need to restart your software after it is patched to make sure the OpenSSL library is reset, and the Heartbleed bug is removed from cached memory.
If you're unable to upgrade to the latest version of OpenSSL:
Roll back to OpenSSL version 1.0.0 or earlier.
Recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.
Verify vulnerabilities are patched
Use DigiCert Discovery to rescan your environment to make sure you are no longer vulnerable to the Heartbleed bug attack.
Rekey, reissue, and install certificates
Rekey and reissue all the certificates on your affected servers. When reissuing certificates, make sure to generate new certificate signing requests (CSRs). See Create a CSR.
After servers and software are patched (and only after they are patched), install your reissued certificates.
Revoke replaced certificates
After installing reissued certificates, you need to revoke the certificates that were replaced. To get your certificates revoked, contact your Certificate Authority.
For DigiCert customers, email support. Make sure to include your certificate's order number and a brief description of what you want revoked.
Reset passwords
If your servers accept passwords, you should also have your clients reset their passwords, but only after servers and software are patched and certificates are rekeyed, reissued, installed, and revoked.
Notice
If clients reset their passwords before servers or software are patched and certificates are rekeyed, reissued, installed, and revoked, then their passwords would still be exposed. They must reset their passwords again.