[All_jlab_accounts] JLab Cybersecurity Alert: Patch Push to Address Web Vulnerability

[Kandice Carter]

Sent on behalf of the IT Division

A vulnerability in OpenSSL has been discovered that impacts secure/encrypted web services. Since OpenSSL is used by a large number of web servers for secure communications (https) over the Internet, this vulnerability has far-reaching impacts. 

The IT Division has reviewed the laboratory's servers/services that use OpenSSL and is in the process of patching the vulnerable ones. As of now the vulnerability seems limited to the version of OpenSSL used with the laboratory's RHEL6 Linux systems.  As a precaution, the patch is also being pushed out to Linux desktops (RHEL6) because there have been some reports that clients (i.e. web browsers) may also be impacted by this bug. Users with RHEL6 desktops will need to reboot their desktops at the end of the day to ensure all applications pick up the update. If you are a Linux desktop user and are unsure of the version of Linux you have, reboot your desktop at the end of the day just to be sure.

Since this vulnerability has impacted so many of the websites on the Internet, Jefferson Lab's Cybersecurity Team also suggests that staff and Users change their passwords on any non-laboratory systems (i.e. yahoo, facebook, amazon, etc.) as a precaution. 

For those who would like to know more about the nature of the vulnerability, this bug, referred to as the OpenSSL "Heartbleed" Bug, allows a remote attacker to expose sensitive data, user authentication credentials and secret keys through incorrect memory handling in the Transport Layer Security (TLS) heartbeat extension. Although the vulnerability is being reported as a server issue, there are reports that the vulnerability also allows attackers to extract data from clients. Any keys generated with a vulnerable version of OpenSSL should be considered compromised and will need to be regenerated and deployed after the patch has been applied

If you have questions or concerns about this message, please contact the IT Division Helpdesk, x7155.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://mailman.jlab.org/pipermail/all_jlab_accounts/attachments/20140409/c14bbedb/attachment.html