A security research team from Codenomicon and a security engineer of Googlee have found a serious vulnerability in the very popular OpenSSL, used to generate SSL/TLS keys and to secure our Web, emails, IM, VPN servers.
This flaw, called the Heartbleed bug has been announced yesterday and is pretty serious as it allows anyone on the Internet to read the memory (up to 64k of memory to a connected client or server) of the systems protected by the vulnerable versions of the OpenSSL software, which are the version 1.0.1(a to f) and 1.0.2-beta1. The version 1.01g, 1.0.0 and older do not suffer from this vulnerability introduced by the Heartbeat Extension.
To check your version of OpenSSL, simply run the following command:
or run the online Heartbleed test
This flaw will impact a lot of system as the SSL private keys generated from vulnerable OpenSSL versions are also impacted!
Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
If you are using a vulnerable version
1) Update your OpenSSL version (The OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug)
2) Regenerate your private keys.
3) Spread the word!!