OpenSSL Heartbleed security update
April 8, 2014
Yesterday, the OpenSSL Project released an update to address CVE-2014-0160, a vulnerability nicknamed "Heartbleed." This vulnerability affects many applications and services including ServerPilot, DigitalOcean, Amazon AWS, and others.
The Heartbleed vulnerability can be remotely exploited to leak encryption secrets including private keys from SSL servers. An attacker who obtains an SSL server's private key and who can intercept traffic is able to read and alter HTTPS communication.
What We Have Done
As of Tuesday, April 8, 2014 at 11:04 UTC, we ensured all of our customers servers and all of ServerPilot's infrastructure received Ubuntu's updated openssl packages.
As of Tuesday, April 8, 2014 at 11:28 UTC, we completed restarts of Nginx on all of our customers servers and all of ServerPilot's infrastructure where SSL apps were used. This was necessary in order for Nginx to be using the updated openssl libraries that fix the vulnerability. After restarting Nginx, each server was verified to be working correctly.
As of Tuesday, April 8, 2014 at 20:44 UTC, we completed replacement of all SSL keys used by ServerPilot along with correspondingly reissued certificates.
What You Should Do
ServerPilot users should do the following:
- Update passwords as a precautionary measure. We do not have any evidence that passwords have been compromised, but you will be safest if you change your passwords.
- If you use SSL with your apps, generate new keys, have your Certificate Authority reissue your certificates, and deploy your new keys and certificates. Your old certificate should stop working soon after you have it reissued once your Certificate Authority marks it as revoked.
As always, please don't hesitate to contact us if you have any additional questions or concerns.