Last night an important security vulnerability was made public with corresponding security updates. It risks exposing private keys when vulnerable.
OpenSSL was vulnerable starting from their OpenSSL 1.0.1 release on 14th of March 2012 till OpenSSL 1.0.1g released on 7th of April 2014. Two security teams independently reported this issue and it’s safe to assume others did as well. On top of that it’s not possible to trace whether you were successfully exploited.
- All customer environments managed by us are fully updated by now.
- We scanned all our prefixes and notified customers which manage their own environments.
- Replaced all SSL keys and certificates
- Revoked all replaced certificates.
- Excellent FAQ on http://heartbleed.com/
- Check if you’re vulnerable: http://filippo.io/Heartbleed/
- USN-2165-1: OpenSSL vulnerabilities
- OpenVPN is also vulnerable
updated on April 22th will last status and more information