On April 7th 2014, a new security vulnerability was announced in OpenSSL: Heartbleed. Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library. The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. Services such as web, email, instant messaging (IM) and some virtual private networks (VPNs) may have been affected.
Heartbleed is believed to affect more than two thirds of all Internet services and many of OpenSRS’s systems rely on OpenSSL to protect customer data. At this point, we have no evidence that this attack was used against OpenSRS but we have been doing our due diligence to ensure the integrity of our services and systems.
We started work to secure our systems as soon as the problem was announced. We patched the affected systems we run within a few hours so we consider the risk of OpenSRS being exploited by Heartbleed to be low.
We have been working quickly to ensure that every aspect of this problem is covered off. We are confident that the measures we have put in place have brought our systems back to a secure environment.