Main Content

Heartbleed Bug? Meet Your Exterminator!

The Heartbleed bug (aka CVE-2014-0160) has been exposed and is making fear-inducing headlines around the world. Simply put, it is a vulnerability in OpenSSL, a cryptographic library used by approximately 50% of websites worldwide. Heartbleed poses a security threat for websites that use OpenSSL. It is possible for IT criminals to access sensitive information like login credentials and credit card numbers. While this problem is being erradicated by Systems Administration superheros (like our own Greg Palmier), we advise all internet users to monitor their accounts.

While the Heartbleed bug is being taken very seriously by the team at Promet, we encourage our clients to rest easy.  We have been on the forefront of protecting our clients' servers and sites with upgrades and fixes.  The impact of Heartbleed has been mitigated on several fronts.  

Our SysAdmin, Greg has been focusing on resolving this issue:

  • For development servers, a cookbook to automatically update all packages every night is already in place.  As soon as the fixed packages were added to the package manager repository, they were installed within a 24 hour period.  
  • We facilitated a thorough assessment of production servers.  Production servers currently utilizing SSL were patched immediately and issued a restart of the services that were affected.  Commonly, this is just the web server software.
  • There are different versions of the operating systems that Promet utilizes.  We primarily use Debian-based operating systems; we quickly addressed the bug's impact on Debian 6 (Squeeze) and 7 (Wheezy).
     
  • The Heartbleed exploit did not affect servers running pre 1.x versions of Openssl so they remain unaffected.  
  • Debian 7 servers with Drupal sites utilizing SSL were updated immediately to apply the exploit fix.  
  • Servers deployed using CentOS or RedHat Enterprise Linux (RHEL) were addressed accordingly.  
  • Package maintainers for Yum-based operating systems updated the Openssl and affected dependency packages after the Heartbleed bug was published.
  • A server-by-server assessment of whether or not each of our clients' Drupal site utilizes SSL and whether or not the server OS is affected took place and packages were updated immediately.
 
Clients with further questions or concerns are welcome to reach out to their Project Manager.