Security Notice: Heartbleed Bug Poses OpenSSL Vulnerability

WHEN           April 7, 2014, ongoing

WHAT     On Monday, April 7, 2014, the OpenSSL Project announced a serious vulnerability in OpenSSL, called Heartbleed, that can expose data on systems running OpenSSL.

OpenSSL is one of the most popular data encryption tools for Web traffic, and as a result, the effects of this vulnerability are wide-ranging.
OpenSSL has released a fix for Heartbleed, included in version 1.0.1g. Server administrators using OpenSSL should update their version immediately either through OpenSSL or their applicable vendor.
WHO IS        Server Administrators, General Public

NEXT STEPS We recommend that Campus Server Administrators:

1. Update OpenSSL through OpenSSL or your vendor.

A list of vendors and their current status is available through US-CERT:

OpenSSL updates are available through their source page:

2.    Generate a new private key for a new SSL certificate.
3.    Install a new SSL certificate with the new key.
4.    (As applicable) Notify users when service(s) is/are no longer vulnerable.
                    We recommend that students, faculty, and staff:
1. Do not change any passwords to UMass Central IT services until you receive notice later this week that all IT services have been patched. If you have already changed your password, you will need to change it again after UMass IT confirms that all services have been patched.
                                          For any non-UMass IT services: 
1. Do not change your passwords or transmit data to secure Web sites or services that you normally use until you have received an official announcement from them regarding a security update.
2. After you've confirmed that the site or service has installed a security update, change your passwords.
3. For at least the next week, monitor your sensitive online accounts (banking, email) for suspicious activity.
RELATED     OpenSSL Security Advisory:

                    OpenSSL Updates:

                    Codenomicon Summary:

                    US-CERT Vulnerability Note:

About this Entry

This page contains a single entry by Fowler, Nancy published on April 10, 2014 2:21 PM.

Windows XP Support Discontinued - Security Issue was the previous entry in this blog.

Microsoft Security Alert: Internet Explorer Browser is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.