Heartbleed Patch Status Update

Heartbleed Bug and Padlock

Heartbleed 101

The security team at codeREADr immediately assessed April 7th’s disclosure of CVE-2014-0160, also known as Heartbleed. As you may know, this is a critical vulnerability in OpenSSL. This vulnerability can compromise the secret keys used for SSL encryption. Jose Andrade at Engadget.com explains why the “heartbleed patch” is necessary.

“The problem affects a piece of software called OpenSSL, used for security on popular web servers. With OpenSSL, websites can provide encrypted information to visitors, so the data transferred (including usernames, passwords and cookies) cannot be seen by others while it goes from your computer to the website.”

What You Need to Know about the Heartbleed Patch?

We at codeREADr use OpenSSL. Therefore, we were potentially vulnerable. However, we have not discovered or been informed of any intrusions or unauthorized use of our systems.

After an immediate patch to our OpenSSL libraries on April 8th at 5:00 am EST (GMT -4:00), we implemented the remaining precautions to ensure security. As of April 11th at 9:00 am EST (GMT -4:00), all necessary steps have been completed to remove this vulnerability. Here’s what we did:

  • We patched all OpenSSL libraries on all servers.
  • We renewed our SSL certificate and reset internal passwords.
  • codeREADr leverages Amazon Elastic Load Balancing infrastructure. This was patched by Amazon.

Action Items

For your reference, here are some useful links about our heartbleed patch:

Rich Eicher Sr.
The codeREADr Team