By Kurt Ewoldsen, Manager, CDL Information & Applications Support
On April 8, the US Computer Emergency Readiness Team (US-CERT) announced a serious vulnerability (CVE-2014-0160, aka the “Heartbleed Bug”) in OpenSSL, a cryptographic software library that underlies much of the encryption used to secure the Internet.
The vulnerability allows attackers to:
- read usernames, passwords, and other sensitive information stored in server memory and
- obtain the key required to decrypt secure communication to and from the server, and impersonate the server itself
CDL technical staff has analyzed the use of OpenSSL within our services and have or are remediating any instances where they are determined vulnerable to this security exploit.
At this time, there is no evidence that our services were compromised.
If you have any questions or concerns about this issue, please contact the CDL Helpdesk: firstname.lastname@example.org.