Vulnerability in OpenSSL Could Allow Remote Attackers to Expose Sensitive Data. OpenSSL Users Should Upgrade to Version 1.0.1g.

Wednesday, April 9, 2014

A recently discovered vulnerability in OpenSSL could allow a remote attacker to expose authentication credentials, secret keys, and other data. The flaw, currently referred to as the Heartbleed vulnerability, allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

OpenSSL 1.0.1g has been released to address this vulnerability. Computing Services and Systems Development is aware of this vulnerability and has taken steps to patch any affected systems, applications, or services. Departments are strongly encouraged to identify any departmental systems using OpenSSL version 1.0.1 through 1.0.1f (or 1.0.2 beta) and upgrade those systems to OpenSSL 1.0.1g directly or via the appropriate patch provided by an application vendor.

In addition, any keys that were generated with a vulnerable version of OpenSSL should be regenerated and deployed after the patch has been applied.

Please contact the Technology Help Desk at 412-624-HELP [4357] if you have any questions regarding this announcement.


Get Help