<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><i><font face="Arial">Sent on behalf of the IT Division</font></i></div><div><font face="Arial"><br></font></div><div><font face="Arial">A vulnerability in OpenSSL has been discovered that impacts secure/encrypted web services. Since OpenSSL is used by a large number of web servers for secure communications (https) over the Internet, this vulnerability has far-reaching impacts. </font></div><div><font face="Arial"><br></font></div><div><font face="Arial">The IT Division has reviewed the laboratory's servers/services that use OpenSSL and is in the process of patching the vulnerable ones. As of now the vulnerability seems limited to the version of OpenSSL used with the laboratory's RHEL6 Linux systems. As a precaution, the patch is also being pushed out to Linux desktops (RHEL6) because there have been some reports that clients (i.e. web browsers) may also be impacted by this bug. Users with RHEL6 desktops will need to reboot their desktops at the end of the day to ensure all applications pick up the update. If you are a Linux desktop user and are unsure of the version of Linux you have, reboot your desktop at the end of the day just to be sure.</font></div><div><font face="Arial"><br></font></div><div><font face="Arial">Since this vulnerability has impacted so many of the websites on the Internet, Jefferson Lab's Cybersecurity Team also suggests that staff and Users change their passwords on any non-laboratory systems (i.e. yahoo, facebook, amazon, etc.) as a precaution. </font></div><div><font face="Arial"><br></font></div><div><font face="Arial">For those who would like to know more about the nature of the vulnerability, this bug, referred to as the OpenSSL "Heartbleed" Bug, allows a remote attacker to expose sensitive data, user authentication credentials and secret keys through incorrect memory handling in the Transport Layer Security (TLS) heartbeat extension. Although the vulnerability is being reported as a server issue, there are reports that the vulnerability also allows attackers to extract data from clients. Any keys generated with a vulnerable version of OpenSSL should be considered compromised and will need to be regenerated and deployed after the patch has been applied</font></div><div><font face="Arial"><br></font></div><div><font face="Arial">If you have questions or concerns about this message, please contact the IT Division Helpdesk, x7155.</font></div><div><br></div></body></html>