We want to underline a very serious error in OpenSSL that was disclosed, including functional exploits. The error was marked as CVE-2014-0160, however in the IT fields it is referred to as the Heartbleed Bug. A remedial update (OpenSSL 1.0.1g) of the Open SSL library was already issued. We strongly recommend to all administrators to execute the system's update.

What it is about

The vulnerability enables remote reading of the server's memory content (that is to say certificate keys, passwords, cookies, anything). If the server attack already occurred it is not detectable in the log.

What is vulnerable

OpenSSL from 1.0.1 to 1.0.1f (it means all versions from the last two years) are vulnerable.
According to the latest survey http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html OpenSSL use 66% of servers worldwide.

What is not vulnerable

Open SSL před 1.0.1
OpenSSL 1.0.1g
Servers that do not use encrypting, or use different software.

Exploits are available and functional. The error is heavily abused all over the world.

Find more information at http://heartbleed.com/.

Recommendation of AEC

We recommend the immediate update of the OpenSSL in 1.0.1g or a workaround in the form of adjustment of FW (firmware) so it would detect any attempt of its abuse. It is important to realize that an error doesn't need to be related just to the web servers, but to all encrypted communication within OpenSSL.

More details are available on request.