OpenSSL is a cryptographic software behind a huge number of the private
communications across the internet (i.e. the
s of the
https but not
only). Namely, it is responsible for verifying the identity of servers
and clients (they are who they say they are) and for keeping
This vulnerability allows an attacker to reveal up to 64kB of memory to a connected client or server if they were using a vulnerable OpenSSL version. The information that the attacker can get may contain (among other things):
- Usernames, passwords and sessions for the logged users.
- Private keys from the servers.
Currently we have no evidence that the attack has been made against our affected servers, although the vulnerability has been undetected for two years. However, we have taken the following actions so as to mitigate any possible effects:
- We have upgraded and patched all of our servers to a non-vulnerable version of OpenSSL.
- We have revoked all affected server's certificates.
- We have deployed the new certificates last Friday.
What can you do?
If you were using any version between
1.0.1f probably you need
to upgrade your OpenSSL version to a non vulnerable one. You should
check your GNU/Linux distribution security advisories for more details
on how to proceed.
Although we are not going to force the reset of the user's password, it is recommended that you change your password as soon as possible. Since this is a widespread vulnerability, the IFCA Computing team recommends that you change your password in any service that might have been affected and enable two-factor authentication whenever possible.
If you encounter any problems or need more information, please do not hesitate to send an email to our support helpdesk (firstname.lastname@example.org)