OpenSSL library versions 1.0.1 through 1.0.1f (inclusive) as well as 1.0.2 beta versions
All software solutions utilizing the OpenSSL library version 1.0.1 and higher have an urgent security vulnerability. Affected systems include many versions of Unix, Linux, OS X, running applications including Apache and Nginx which are used for more than 50% of the public webservers on the Internet. Also affected are cloud services such as CloudFlare and Amazon Web Services as well as many behind-the-firewall web services.
Exploiting this vulnerability, an attacker can compromise the encryption keys to capture any content being encrypted and spoof trusted sites. Data captured can also include usernames, passwords, credit card numbers or any other data being transmitted. Attackers can capture blocks of up to 64 KB of the memory at a time and continue until they capture the secrets they want.
ORGANIZATIONS MUST REPLACE KEYS AND CERTIFICATES ON THOSE SYSTEMS WITH NEW, TRUSTED KEYS AND CERTIFICATES.
NOTE: The Venafi software does NOT use the OpenSSL libraries to secure SSL/TLS sessions, and is therefore NOT AFFECTED by this vulnerability.
To remediate the vulnerable OpenSSL software
- Identify any server using OpenSSL versions 1.0.1 - 1.0.1f
- Upgrade to OpenSSL 1.0.1g OR recompile the OpenSSL library with the OPENSSL_NO_HEARBEATS flag
NOTE: These three options DO NOT address the exposure from captured/compromised keys and certificates. Experts suggest ALL keys and certificates must be considered compromised. Therefore, the OpenSSL software fixes DO NOT help you how you will find out where all of your OpenSSL keys and certificates are located, nor will it help you rotate your exposed keys, revoke existing certificates, and replace with new certificates.
VENAFI'S TrustProtection Platform can SECURELY REVOKE & REPLACE (ROTATE) YOUR KEYS AND CERTIFICATES QUICKLY TO HELP REMEDIATE THE COMPROMISED KEYS
To remediate the compromised keys and certificates on those servers
- Revoke all X.509 SSL certificates on all affected servers using Venafi TrustAuthority*
- Generate NEW keys and re-issue new certificates using Venafi TrustAuthority*
- Install and verify that the new keys and certificates are in place on those servers using the network validation feature in Venafi TrustAuthority* -If you have purchased Venafi TrustForce* you can use that product to securely deliver and install new secure keys and certificates to the appropriate applications
- Administrators should enforce resetting of admin & end-user passwords as they may have been visible in a compromised server’s memory
*If you are on previous Venafi Director versions then you may be accustomed to different product name terminology:
- Venafi TrustAuthority = Discovery, Monitoring, and Enrollment
- Venafi TrustForce = Provisioning