Heartbleed Patch Status Update
The security team at codeREADr immediately assessed April 7th’s disclosure of CVE-2014-0160, also known as Heartbleed. As you may know, this is a critical vulnerability in OpenSSL. This vulnerability can compromise the secret keys used for SSL encryption. Jose Andrade at Engadget.com explains why the “heartbleed patch” is necessary.
“The problem affects a piece of software called OpenSSL, used for security on popular web servers. With OpenSSL, websites can provide encrypted information to visitors, so the data transferred (including usernames, passwords and cookies) cannot be seen by others while it goes from your computer to the website.”
What You Need to Know about the Heartbleed Patch?
We at codeREADr use OpenSSL. Therefore, we were potentially vulnerable. However, we have not discovered or been informed of any intrusions or unauthorized use of our systems.
After an immediate patch to our OpenSSL libraries on April 8th at 5:00 am EST (GMT -4:00), we implemented the remaining precautions to ensure security. As of April 11th at 9:00 am EST (GMT -4:00), all necessary steps have been completed to remove this vulnerability. Here’s what we did:
- We patched all OpenSSL libraries on all servers.
- We renewed our SSL certificate and reset internal passwords.
- codeREADr leverages Amazon Elastic Load Balancing infrastructure. This was patched by Amazon.
For your reference, here are some useful links about our heartbleed patch:
- You can check our vulnerability.
- You can change your codeREADr API key. If you’ve integrated your services with codeREADr’s API, then before you change your API key you should coordinate with your developer.
- You can change your account’s password. App user passwords need not change.
- More information on Heartbleed vulnerability
- If you need further information, contact us at anytime: firstname.lastname@example.org.
Rich Eicher Sr.
The codeREADr Team