CDL Notice Regarding US-CERT CVE-2014-0160, “Heartbleed Bug” OpenSSL Vulnerability

April 11, 2014 Author: Ellen MeltzerCategories:

By Kurt Ewoldsen, Manager, CDL Information & Applications Support

On April 8, the US Computer Emergency Readiness Team (US-CERT) announced a serious vulnerability (CVE-2014-0160, aka the “Heartbleed Bug”) in OpenSSL, a cryptographic software library that underlies much of the encryption used to secure the Internet.

The vulnerability allows attackers to:

read usernames, passwords, and other sensitive information stored in server memory and
obtain the key required to decrypt secure communication to and from the server, and impersonate the server itself

CDL technical staff has analyzed the use of OpenSSL within our services and have or are remediating any instances where they are determined vulnerable to this security exploit.

At this time, there is no evidence that our services were compromised.

If you have any questions or concerns about this issue, please contact the CDL Helpdesk: cdl@www.cdlib.org.