The Open SSL "Heartbleed" bug

A serious vulnerability (CVE-2014-0160) was  found in recent versions of the widely used OpenSSL library, which is used to secure communications on large parts  of the Internet that means that an attacker can steal information in memory from affected systems. This has been christened the Heartbleed bug due to the fact that it involves a memory leak (or bleed) in the TLS heartbeat code.

This information could include extremely sensitive information such as the private keys for SSL certificates, allowing the attacker to the eavesdrop on encrypted traffic or impersonate the website. So if you are running a vulnerable version you should update as soon as possible as now that the information on the vulnerability has been made public even if exploits weren't happening before they can be expected to start now, given the potential gains for the bad guys out there.

We are maintaining a list of affected system versions and links to vendor advisories that we know about.

This has a potentially massive impact due to the widespread use of the OpenSSL software and the fact that the attack leaves no trace on the systems concerned. So for any site that has been running a vulnerable version of the software will find it very hard to prove that an attack has not taken place and so may have to act on the assumption that it has.

The vulnerability affects all OpenSSL 1.0.1 versions before 1.0.1g but fortunately did not affect older versions prior to 1.0.1a, which was released in April 2012. This may limit the scope of the vulnerability due to the fact that the standard version of the library supplied with operating systems will tend to lag behind the OpenSSL releases and that major sites are likely to be conservative in not using the very newest version of an OS for critical servers but 1.0.1 is widely used in what are regarded as current "stable" versions of major OSes

The vulnerability has been subject to responsible disclosure by those who found it (Neel Mehta of Google Security & indepently a team at Codenomicon) so it is likely that some major sites will have already been fixed (e.g. CloudFlare as mentioned in a recent blog posting).

We have links to more information here.