OpenSSL – Heartbleed Notice
Here at Hornbill we take security very seriously, so when we received notification of CVE-2014-0160 which has been dubbed heartbleed. we investigated our systems in order to identify if any of our servers were affected by this bug. The bug allows and attacker to read segments of memory allocated by OpenSSL making it possible to read the contents of private certificates we use to secure data in motion using SSL.
A small number of our front end web servers (which do not themselves hold any client data) were using the specific version of OpenSSL that is affected and therefore were vulnerable to this attack. We have already patched and tested to confirm that they were no longer vulnerable using http://filippo.io/Heartbleed/
We have reviewed our own logs and can see no evidence that this vulnerability has been exploited on our systems and the changes we have made to patch this will not affect our customers in anyway. As it turned out, most of our production servers where not vulnerable as they are running stable versions of OpenSSL that are not impacted by this bug which was introduced in OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable, you can read all about the problem and get more details here: http://heartbleed.com/
Hornbill Cloud Support