We just issued an advisory notice for customers regarding the recent Heartbleed vulnerability in OpenSSL.
The issue doesn’t reside within our CryptoComply module; it’s in the higher level OpenSSL libraries that (can) call into our CryptoComply module. This means there is no FIPS impact to our customers… however, there is a security impact.
Folks, this is serious stuff. Key material is subject to being disclosed to attackers. Even if you’re using another crypto module with your vulnerable OpenSSL implementation, patch it immediately. But just patching it isn’t enough. Consider this the right time to update your keys and certificates. You should assume that an attacker knows them by now.
I have to say that I’m very proud of the SafeLogic team here. We responded and had new builds commencing within a few hours of the notice. We provide upstream OSSL stack as a value to our customers, and it’s important to all of us that they run securely. Builds run through smoke testing and functional testing to ensure proper operation for FIPS, and builds are available on our support portal.
We’ll continue to stay on top of this. We’re not only looking to help our customers… we want to help protect the industry at large. This is that big of an issue. Security awareness becomes key, so let’s keep this at top of mind.