A new security vulnerability was announced yesterday (CVE-2014-0160) in OpenSSL that allows an attacker to read up to 64kB of memory. Any service that supports TLS and is using v1.0.1 or greater of the openssl library is vulnerable (including web servers, mail servers, vpns etc.)
Updates are now available for most Linux distros, and in particular for Ubuntu 12.04 (Precise) and above. Ubuntu 10.04 (Lucid) is not affected.
All our own systems and our managed customers’ systems are now patched and secured and we urge all other customers to apply the available updates as soon as possible. Remember to restart affected services, so they pick up the new version of the library.
It’s important to note than an attacker could have read data from your server, such as private keys, passwords, cookies etc. There is currently no evidence that this vulnerability was known to attackers before it was announced yesterday, but it would be very difficult to know for sure if you’ve been targeted. We recommend you make your own risk assessment and take appropriate action (such as obtaining a new certificate and key, changing passwords etc.). A detailed summary of the vulnerability and it’s impact is available at heartbleed.com.
Our Cloud Load Balancer service received this update today (Tuesday 8th April) at 1am BST. Customers running load balancers created before this time should create new load balancers with the same settings and move their Cloud IPs.
Load balancers not using https listeners are not vulnerable but could become vulnerable if a https listener is added in future, so we recommend all customers migrate to new balancers.
