WHEN April 7, 2014, ongoing
WHAT On Monday, April 7, 2014, the OpenSSL Project announced a serious vulnerability in OpenSSL, called Heartbleed, that can expose data on systems running OpenSSL.
OpenSSL is one of the most popular data encryption tools for Web traffic, and as a result, the effects of this vulnerability are wide-ranging.
OpenSSL has released a fix for Heartbleed, included in version 1.0.1g. Server administrators using OpenSSL should update their version immediately either through OpenSSL or their applicable vendor.
WHO IS Server Administrators, General Public
NEXT STEPS We recommend that Campus Server Administrators:
1. Update OpenSSL through OpenSSL or your vendor.
A list of vendors and their current status is available through US-CERT:
OpenSSL updates are available through their source page:
2. Generate a new private key for a new SSL certificate.
3. Install a new SSL certificate with the new key.
4. (As applicable) Notify users when service(s) is/are no longer vulnerable.
We recommend that students, faculty, and staff:
1. Do not change any passwords to UMass Central IT services until you receive notice later this week that all IT services have been patched. If you have already changed your password, you will need to change it again after UMass IT confirms that all services have been patched.
For any non-UMass IT services:
1. Do not change your passwords or transmit data to secure Web sites or services that you normally use until you have received an official announcement from them regarding a security update.
2. After you've confirmed that the site or service has installed a security update, change your passwords.
3. For at least the next week, monitor your sensitive online accounts (banking, email) for suspicious activity.
RELATED OpenSSL Security Advisory:
US-CERT Vulnerability Note: