The recent discovery of the Heartbleed bug has been well publicized. The Heartbleed bug is a serious vulnerability in the OpenSSL cryptographic software library. This weakness enables attackers to steal information that, under normal conditions, is protected by the SSL/TLS encryption used to secure the internet.
The OpenSSL Heartbleed bug is an important vulnerability that is affecting the internet. Updating to fixed versions of affected software is only part of the solution. From system administrators to end users, we all are likely impacted in some way.
—Will Dormann, CERT Vulnerability Analyst
In a blog post from May 12, 2014, Will Dormann answers questions related to the Heartbleed vulnerability such as Heartbleed and its aftermath left many questions in its wake:
On April 25, 2014, technical staff from the SEI and Codenomicon discussed the impact of the recently announced Heartbleed OpenSSL vulnerability along with methods to mitigate and even prevent crises like this in the future.
Chris Clark, Security Engineer from Codenomicon, one of the cybersecurity organizations that discovered the Heartbleed vulnerability, joined technical staff members from the CERT and Software Solutions divisions of the SEI and the SEI's Information Technology department. Panelists discussed how software vulnerabilities like Heartbleed can be mitigated through the different phases of the secure software lifecycle using techniques available today. They also discussed how changes to our current software development and management techniques need to be managed to more effectively reduce the effects of incidents like Heartbleed.
Register to listen to a recording of the webinar.
There is no one-size-fits-all solution here; unfortunately, organizations will have to make decisions based on their own risk tolerances and costs.
—Jason McCormick, CERT Manager of Network and Infrastructure Engineering
The vulnerability note VU#720951, OpenSSL Heartbeat Extension Read Overflow Discloses Sensitive Information, was released on April 7, 2014. Vulnerability notes are living documents that are maintained by CERT researchers. This note lists which vendor sites are affected by the vulnerability and which vendors have posted patches.
The following is a partial list of articles and blog entries that our researchers contributed to.
Heartbleed Flaw Lingers Due to Shaky Response
The Morning Download: Heartbleed Hits Routers, Switches, Firewalls—and CIOs
(The Wall Street Journal)
Heartbleed: Now Comes the Hard Work of Damage Assessment
(the Wall Street Journal)
'Heartbleed' Mystery: Did Criminals Take Advantage of Cyber-Security Bug?
(The Christian Science Monitor)
Heartbleed Bug Could Bleed Millions of Usernames, Passwords
Heartbleed Vulnerability: Change Your Passwords
(Fox News, St. Louis Affiliate)
Heartbleed Bug Puts Millions of Online Accounts in Jeopardy
Heartbleed Will Go On Even After the Updates
Determining Heartbleed Exfiltration
(Data Breach Today)
What Heartbleed Means for Newsrooms
(The ProPublica Nerd Blog)
How to Treat the Heartbleed Bug
(Bank Info Security)
Heartbleed Bug: What You Need to Know
(Bank Info Security)
DHS Evaluating Heartbleed Impact
For more information about this vulnerability, see the Heartbleed Bug website.
Will Dormann answers questions related to the Heartbleed vulnerability.
Listen to technical staff from the SEI and Codenomicon discuss the impact of the Heartbleed bug.
Our researchers created a vulnerability note about the Heartbleed bug that records information about affected vendors as well as other useful information.