CionSystems products are not vulnerable to the Heartbleed bug:
- CionSystems products don’t utilize OpenSSL libraries. Note: The Heartbleed bug affects TLS connections via a vulnerability in the heartbeat Logic.
- CionSystems products are deployed on Microsoft IIS server, which is not affected by this exploit: http://blogs.iis.net/erez/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
The “Heartbleed Bug” is a security flaw in OpenSSL’s TLS implementation. SSL/TLS provide secure the transmission for private information. The bug is actually a memory leak exploit that can potentially lead to the exposure of server keys. This can result disclosure of private computer memory and private information. It is indeed a very serious vulnerability.
How to diagnose if your systems are vulnerable:
To determine if your systems are vulnerable to the Heartbleed bug, see http://www.kb.cert.org/vuls/id/720951
How to fix systems that are vulnerable to Heartbleed *and* the potential loss of private keys:
If you find any of your systems vulnerable to the Heartbleed bug, the steps typically involved in fixing a system include:
- Patching vulnerable systems with OpenSSL 1.0.1g
- Regenerating new private keys
- Submitting new CSR to your CA
- Obtaining and install new signed certificate
- Revoking old certificates
Exercise caution when revoking certificates as some systems may become inaccessible.