On April 7th a security issue has been discovered in the Open-Source software OpenSSL. This widely used library encrypts all data exchange between webservers and browsers. Due to a programming error in OpenSSL it is possible to read a certain memory area on the server. Unfortunately this area is sufficient to steal the private key used for the encryption of the traffic. If an attacked gets hold of the private key, he could decrypt the data between browser and webserver. As the bug is located in the so called "heartbeet" function of OpenSSL, it was named "Heartbleed-Bug".
How can I check if my server is affected?
In the meanwhile two websites have been published, in order to test any server: http://filippo.io/Heartbleed/ and http://possible.lv/tools/hb/.
After entering the address, the server is checked agains the Heartbleed-Bug. For leanIX this tests shows, that the security issue is closed:
Which other measures have we executed at LeanIX?
The first step is an update of the OpenSSL library on all servers. For all modern server operating systems there are updated versions available of OpenSSL.
To ensure, that the private key stays secret, we at leanIX have replaced all SSL-certificates on all servers. This so called re-issue of a certificate means, that we have generated new private keys and requested new certificate at our trusted SSL certificate provider.
Further information on the topic can be found here:
Image source: heartbleed.com