GlobalSign. Important Security Advisory Blog: Heartbleed Bug
This data can include sensitive material such as the server’s private key, but is not limited to that, any data that is in memory on the server is at risk including sensitive customer data as well. This is not limited to web servers, if you use a SSL based VPN that leverages OpenSSL you may also be at risk. Access to this type of sensitive data creates a serious vulnerability because attackers can use it to decrypt past communications (when Perfect Forward Secrecy (PFS) is not configured), steal critical data and in the case of a private key compromise, enable the attacker to impersonate the associated server.
Resolution and Recommendations
We strongly recommend anyone using OpenSSL to:
- Verify what version of OpenSSL they are using and upgrade their systems to the appropriate fix from OpenSSL.
- Request a reissue (with new private key) for SSL Certificates that were installed on affected servers, install the new certificate, then request revocation of the old certificate.
- Use GlobalSign’s SSL Configuration Checker tool to test your server for the Heartbleed vulnerability
GlobalSign offers free reissues to its direct customers, so if you are a GlobalSign SSL customer affected by the Heartbleed bug, please see our support center for instructions on reissuing your SSL Certificate.
You can read the original article here.