The security team at codeREADr immediately assessed April 7th’s disclosure of CVE-2014-0160, also known as Heartbleed. As you may know, this is a critical vulnerability in OpenSSL. This vulnerability can compromise the secret keys used for SSL encryption. Jose Andrade at Engadget.com explains why the “heartbleed patch” is necessary.
“The problem affects a piece of software called OpenSSL, used for security on popular web servers. With OpenSSL, websites can provide encrypted information to visitors, so the data transferred (including usernames, passwords and cookies) cannot be seen by others while it goes from your computer to the website.”
What You Need to Know about the Heartbleed Patch
We at codeREADr use OpenSSL. Therefore, we were potentially vulnerable. However, we have not discovered or been informed of any inthrusions or unauthorized use of our systems.
After an immediate patch to our OpenSSL libraries on April 8th at 5:00 am EST (GMT -4:00), we implemented the remaining precautions to ensure security. As of April 11th at 9:00 am EST (GMT -4:00), all necessary steps have been completed to remove this vulnerability. Here’s what we did:
- We patched all OpenSSL libraries on all servers.
- We renewed our SSL certificate and reset internal passwords.
- codeREADr leverages Amazon Elastic Load Balancing infrastructure. This was patched by Amazon.
For your reference, here are some useful links about our heartbleed patch:
- You can check our vulnerability here.
- Should you want to change your codeREADr API key, please look here. If you’ve integrated your services with codeREADr’s API, then before you change your API key you should coordinate with your developer.
- Should you want to change your account’s password, please look here. App user passwords need not change.
- For more information on Heartbleed vulnerability, please look here.
- If you need further information, contact us at anytime: email@example.com.
Rich Eicher Sr.
The codeREADr Team