News

Open Source Toolkit OpenSSL - Vulnerability

 
1. Memory leakage with Open Source OpenSSL Toolkit
The following versions of the Open Source OpenSSL Toolkit [0] are vulnerable [1] to memory leakage: 

>> OpenSSL Version 1.0.1 through 1.0.1f (inclusive)

Risks:

• If one of the above OpenSSL versions has been used to generate a Certificate Signing Request (CSR) and this version is still running on your web site, then there is a risk that the private key associated with the corresponding SSL may be compromised.

• Leveraging the Toolkit vulnerability, an intruder might get access to sensitive information (e.g. secret keys, usernames, passwords, certificates or other information) stored in the memory of the server on which the OpenSSL is installed …without leaving any trace of intrusion.

2. Bug fix 
The OpenSSL Version 1.0.1g released on 7th of April 2014 fixes the defect.


3. Recommanded actions

• If you use an OpenSSL Toolkit, Version 1.0.1 through 1.0.1f (inclusive), we recommend you to patch or update it [2][3].

• If you used an OpenSSL Toolkit, Version 1.0.1 through 1.0.1f (inclusive) [4] to create a CSR or using OpenSSL Toolkit, Version 1.0.1 through 1.0.1f (inclusive) on your web site, or in doubt, we recommend you to replace the associated SSL certificate with a new one using the Open SSL version 1.0.1.g.

4. LuxTrust support
For its clients who, in line with the above recommendation, want to replace their SSL certificate by a new one, LuxTrust exceptionally agrees to extend the validity period of the administrative file it already has, from 6 to 12 months.

Additional sources of information:

[0] http://www.openssl.org/
[1] http://www.openssl.org/news/secadv_20140407.txt
[2]http://www.ubuntu.com/usn/usn-2165-1
[3] http://www.debian.org/security/2014/dsa-2896
[4] http://heartbleed.com/