The Heartbleed bug is a critical security vulnerability in OpenSSL. This bug allows an attacker to read information from a server without any authorisation or any trace. While there is already a fix available, there will be a considerable time lag before we will see complete resolution across the Internet.
Parashift has already confirmed that for all of our public services, we were not affected.
What is affected
Any server running a newer version of OpenSSL. This includes servers running Apache or other applications that rely on OpenSSL.
Is Alfresco affected by heartbleed
Alfresco itself does not handle SSL connections, rather it relies on its Servlet or an SSL Proxy. There are two possibilities:
- Using the Servlet to handle SSL: If you’re using a Servlet such as Tomcat or Jboss, which relies on the Java SSL libraries, you are not affected by heartbleed
- Using an SSL Proxy: If you’re relying on Apache as an SSL Proxy you will be affected
How do you fix it
- Upgrade OpenSSL. Most major linux distributions have included a fix for OpenSSL, so on Ubuntu the upgrade is as simple as running these two commands:
sudo apt-get update sudo apt-get upgrade
- Revoke and reissue all affected SSL Certificates. There is a chance the private key has been leaked
- If your website uses authentication, you will need to reset the passwords of all users
Testing your server
You can test your server at the following URL: http://filippo.io/Heartbleed/
There is a great writeup about how this bug transpired and how it was fixed here: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Ramifications of Heartbleed
An important part of any business is a security policy that allows for vulnerabilities to be resolved effectively and efficiently. Vulnerabilities are discovered every day, and it is up to all businesses to ensure the safety and confidentiality of their clients and employees. Having a security strategy that mitigates these types of risk is a must. Security is not static, it is dynamic and evolving and will only become a more pertinent issue as we move towards a more collaborative world. Using open standards and technically resistant languages such as Java is paramount in securing information accordingly.
The benefit of open source software is that vulnerabilities like this can be found and rectified efficiently. Closed source software that rely purely on security through obscurity, such as Dropbox, have continuously proven that this is not an acceptable strategy. The community at large has been massive in raising awareness of this issue, with fixes and support websites available everywhere.