On April 7, 2014 information was released about a new vulnerability (CVE-2014-0160) in OpenSSL, the cryptography library that powers the vast majority of private communication across the Internet. This library is key to maintaining privacy between servers and clients, and confirming that Internet servers are who they say they are. This vulnerability, known as Heartbleed, may allow an attacker to steal the keys that protect communication, user passwords, even the system memory of a vulnerable server. This represents a major risk to large portions of private traffic on the Internet.
At this time we have no evidence that the attack has been used against any of our portals, websites or other systems. However, we take the security of our partner data very seriously and will continue to vigilantly monitor for any unauthorized behavior.
As the leader of our security team, I can assure you that we are working aggressively to assess and update any of our systems that rely on OpenSSL. We have also been in touch with our technology partners to ensure they are doing the same. We are committed to the protection of our partners and will provide product-specific updates if and when necessary.
If you are a Continuum Partner and you remain concerned, here are some actions you can take:
- Reset your login information and passwords.
- Enable Two-Factor Authentication.
Here are some more resources for learning about Heartbleed:
- Techcrunch.com video: http://techcrunch.com/2014/04/08/what-is-heartbleed-the-video/
- Troy Hunt’s blog post: http://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html
We will be sure to keep all of our partners up to date on any developments as they happen via email, RSS and social media. Please contact your regional support teams with any questions.
UPDATE ON CONTINUUM VAULT
For any partners with questions regarding Heartbleed and Continuum Vault, we have confirmed that Continuum Vault does not use OpenSSL so was not impacted by Heartbleed. If you have any questions please leave them in the comments section.
UPDATE ON ContinuumU
We have updated the certificate on ContinuumU. Please direct any questions to the comments section.
UPDATE ON LOGMEIN (4/11/14 11:00pm ET)
Earlier today (Friday, 4/11), LogMeIn announced that LogMeIn Pro used OpenSSL on their blog. We have been working with LogMeIn tonight to ensure we have all required information to advise you properly. We are also in the process of running an analysis to confirm that client endpoints have been updated with the newest version which resolves this issue. Please watch for further communication on Saturday for recommendations on what actions you and your clients should take next.
By Dave LeClair
By Lily Teplow
By Gretchen Hoffman