What was the problem?
Late yesterday, OpenSSL, a major open-source security library, announced a serious security hole in their software. The security issue is known as the "Heartbleed" bug, named after the “heartbeat” feature that introduced the problem. A detailed writeup is available at http://heartbleed.org and the issue has been assigned the identifier CVE-2014-0160 by mitre.org.
The security hole allows an attacker to read memory from an affected system via the normal SSL (secure) connection. As the exploit is conducted within the SSL protocol which is used to secure network connections for things like web sites, email servers, VPN’s etc… it is undetectable. An attacker using the exploit would in theory be able to read the secret keys used to establish the SSL connection and thus be able to decrypt other people’s secure traffic. In theory, any information you were sending to and from a “secure” website (i.e. passwords, bank account details, email text, etc…) is at risk of being snooped upon.
We also have a more detailed post about the vulnerability.
What is affected?
All Bitium servers are hosted in Amazon’s EC2 environment. While our servers were not vulnerable to the problem, Amazon’s load balancers and the servers at our CDN, EdgeCast, were vulnerable. We have been in discussions with both providers and have confirmed that both have applied the necessary patches to their systems in the last 24 hours.
What happens next?
We are in the process of rotating our SSL certificates under the assumption that the SSL secret keys might have been leaked. We will also reset all login and two-factor authentication (2FA) sessions, which will require users to re-verify their credentials.
What should our customers do?
We strongly recommend that customers change their Bitium passwords as well as passwords for all other applications. While no passwords stored in Bitium are known to have been leaked, the vulnerability that allows this exploit has been in the wild for some time now, and it is possible that passwords used outside of the Bitium environment have been compromised.
We also suggest that customers talk to each of their SaaS vendors and verify that they have updated their systems.