On Monday, the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, also known as “Heartbleed”. This serious vulnerability affects a substantial number of applications and services running on the Internet, including the CloudPassage Halo™ service. As of Tuesday, April 8th at 2:30pm PDT, all CloudPassage production systems have been updated and are no longer vulnerable. All communication between the Halo agents and the Halo analytics engine use message-level encryption, encrypting each payload, in order to mitigate SSL vulnerabilities at the transport layer.
This vulnerability can be remotely exploited to leak encryption secrets from OpenSSL-encrypted sessions, allowing an attacker to retrieve private key material. The vulnerability stems from the way that OpenSSL handles the heartbeat extension in the TLS protocol. The OpenSSL Project has already provided a version that patches this bug and many of the major Linux distributions have already provided updated versions via their regular package management services.
Steps We Have Taken
- Tested and deployed patches to all production systems and restarted the affected services.
- As a precaution we’ve had our SSL certificates re-issued using new keys.
What You Can Do
We encourage all CloudPassage customers to update their CloudPassage account passwords. We have not found any evidence that any passwords have been compromised, but given the amount of time that this vulnerability was in existence the safest thing to do for your account is to rotate your CloudPassage credentials. We also recommend turning on Two Factor Authentication for accessing your Halo™ account as an additional layer of protection.
We are continuing to monitor this vulnerability and will post updates as things progress.
Future details on the vulnerability can be found at the following sites: