There has been much publicity around the “HeartBleed” bug in OpenSSL that was announced last Tuesday (en.wikipedia.org/wiki/Heartbleed). We have put together a few FAQ’s around this topic and our servers.
Q. Does this bug effect me / my server?
A. If you are on a Windows Server, then no, you are not affected. If you are on a Linux server and have an SSL certificate on your site, it is likely to have affected you.
Q. What have catalyst2 done about it?
A. We patched all affected servers as soon as the bug was made public, preventing any exploitation of the bug once it was in the mainstream.
Q. Now it is patched is there still any risk?
A. There is a small risk that the bug was exploited in the two years prior to it being made public. So far there has only been one known exploitation and that was encouraged by a security company to see if it could be exploited, this took over 2.5million requests to a website to get any data about the SSL certificate that encrypted it.
Q. Can anything be done about this small risk?
A. Yes, we can reissue your SSL and revoke the one that is currently on your website. Please email email@example.com if you want us to do this.
Q. Would catalyst2 recommend any additional action?
A. Yes, once we have reissued your SSL we would recommend any passwords are reset.
The impact of this bug is still somewhat unknown however the above steps are considered current best practice. If you have any further questions, please let us know firstname.lastname@example.org