AS you may have heard, a grave vulnerability in OpenSSL was disclosed Monday last week: CVE-2014-0160 (also known as Heartbleed).

OpenSSL is a cryptographic software behind a huge number of the private communications across the internet (i.e. the s of the https but not only). Namely, it is responsible for verifying the identity of servers and clients (they are who they say they are) and for keeping communications private.

This vulnerability allows an attacker to reveal up to 64kB of memory to a connected client or server if they were using a vulnerable OpenSSL version. The information that the attacker can get may contain (among other things):

  • Usernames, passwords and sessions for the logged users.
  • Private keys from the servers.

Currently we have no evidence that the attack has been made against our affected servers, although the vulnerability has been undetected for two years. However, we have taken the following actions so as to mitigate any possible effects:

  • We have upgraded and patched all of our servers to a non-vulnerable version of OpenSSL.
  • We have revoked all affected server's certificates.
  • We have deployed the new certificates last Friday.

What can you do?

If you were using any version between 1.0.1 and 1.0.1f probably you need to upgrade your OpenSSL version to a non vulnerable one. You should check your GNU/Linux distribution security advisories for more details on how to proceed.

Although we are not going to force the reset of the user's password, it is recommended that you change your password as soon as possible. Since this is a widespread vulnerability, the IFCA Computing team recommends that you change your password in any service that might have been affected and enable two-factor authentication whenever possible.

More information

If you encounter any problems or need more information, please do not hesitate to send an email to our support helpdesk (grid.support@ifca.unican.es)