On April 7, 2014,
A team of security researchers announced the discovery of a critical vulnerability dubbed “The Heartbleed Bug”,found in OpenSSL, a widely-used open source cryptographic software library. This weakness allows contents of the server memory to be exposed, including items such as certificate private keys. OpenSSL is often used with applications and web servers like Apache and Nginx, and in broader contexts like operating systems, toolkits, etc. On April 7, it became known that a bug in the implementation of the OpenSSL heartbeat functionality could expose sensitive data from the server’s memory – this may include the private key of the SSL certificate on the web server (not just the session key), among other sensitive data. The vulnerability has gained widespread attention in the media. A few of the large media outlets covering the story include TechCrunch, Cnet, Fox News and USA Today.
The vulnerable versions of OpenSSL library (1.0.1 through 1.0.1f). Could allow attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed, which conceivably could include usernames and passwords of users or other data stored in server memory.
CIT is aware of the vulnerability, dubbed “Heartbleed”, which is a legitimate security concern for users of OpenSSL. We have completed remediation of all vulnerable web servers under our management within 48 hours of the announcement of the vulnerability. Furthermore, our standard deployment of OpenSSL does not implement the Heartbeat function, which is the component of the software that is vulnerable in this bug.