Back to Crisisworks

Crisisworks patched against Heartbleed bug

Posted 9 April 2014 by Scott Davey (Crisisworks)

Recently, a security vulnerability called Heartbleed was discovered in a widely-used third party library called OpenSSL. This library is widely used in roughly 2/3 of the world's servers, including Crisisworks on load balacers.

The vulnerability allows attackers to read small, random pieces of the server's memory - mostly this would be unrecognisable data, but in the worst case it could potentially be the private key of the security certificate we use to encrypt data in transit.

We became aware of this threat on April 8 and our servers were quickly patched against this by early April 9, making our systems secured against the flaw.

Although there is no confirmed exploitation of this flaw occurring at this stage, as an additional precaution we are in the process of renewing our SSL certificates, and we have invalidated all log-in sessions requiring users to log in again.

There is no further user action required.

If you require more information on our response to Heartbleed, please contact our Service Desk and quote CV-707.



There are no comments. Be the first to have your say!

Post a comment

Please be considerate and respectful in your comments.