Serious OpenSSL Vulnerability | Technology Services Organization

WHAT'S HAPPENING?
A serious OpenSSL vulnerability was announced yesterday that allows an attacker to compromise the private SSL key without leaving any trace of an attack.

WHO IS AFFECTED?
Users managing a system running OpenSSL v1.0.1 through 1.0.1f. Versions of OpenSSL equal to or less than v1.0.0 are not vulnerable. OpenSSL has fixed the vulnerability in v1.0.1g.

WHAT DO YOU NEED TO DO?
Affected users should patch as soon as possible. An alternate workaround is to recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag enabled. Once you have applied the fix you will need to replace any SSL certificates, as there is no trace if they've been compromised.

Additional information is available at:
http://www.openssl.org/news/vulnerabilities.html#2014-0160
and
http://heartbleed.com/

WHO SHOULD YOU CONTACT FOR QUESTIONS?
TSO Help Desk (CCB 148, 404.894.7065, helpdesk@cc.gatech.edu).

Clarification:
This only applies to those running services that utilize the affected versions of OpenSSL, such as those running a webserver providing https service.

Technology Services Organization

College of Computing

Georgia Institute of Technology