Corevist’s Heartbleed Announcement
On April 7, 2014 information was released about a new vulnerability (CVE-2014-0160) in OpenSSL, the cryptography library that powers the vast majority of private communication across the Internet. This library is key for maintaining privacy between servers and clients, and confirming that Internet servers are who they say they are.
This vulnerability, known as Heartbleed, would allow an attacker to steal the keys that protect communication, user passwords, even the system memory of a vulnerable server.
As of right now, we have no indication that the attack has been used against Corevist (formerly b2b2dot0). However, the nature of the attack makes it hard to detect so we’re proceeding with a high level of caution.
What is Corevist doing about this?
UPDATE: 04/12/2014 – As of this time, all servers have been patched and all Corevist controlled SSL certificates have been re-keyed and regenerated. Clients with vanity URLs have been notified and re-keying is underway for those as well. See below for more information.
We’ve completed a number of measures already and continue to work the issue.
- We’re patching all our affected systems using the newer, protected versions of OpenSSL. We started upgrading our QA servers after the vulnerability became public and will be completing production over this upcoming weekend.
- We’re recreating and redeploying our SSL keys and generating new SSL certificates. If you have a vanity URL with us and have provided your own SSL certificate, we’ll be generating new CSR (certificate signing requests) and requesting that you generate a replacement SSL certificate.
- After production is updated, we’ll be forcibly resetting all browser sessions that were active prior to the vulnerability being addressed on our servers. You, or your customers may be logged out and have to log back into your portal. This is a proactive measure to defend against potential session hijacking attacks that may have taken place while the vulnerability was open.
What can you do about this?
While at this time Corevist has no indication that the attack has been used beyond testing the vulnerability, users who want to be extra cautious should take the following steps:
- Change your password
- Update the “news” section in your Corevist portal to recommend that your end users change their passwords
Corevist is committed to keeping your environment safe. We are continuing to respond to this vulnerability and will post updates as things progress. Keep an eye here for more information.
* Special thanks to Github for much of this content