Heartbleed Vulnerability Information

Valued clients,

As many of you may know, there has been a recently published exploit known as Heartbleed for the popular OpenSSL software library. This exploit allowed for the possibility of stealing data on any server using this software library. In particular, it allowed for the possibility of stealing a server's private key, the secrecy of which is what ensures that a secure connection is in fact secure.

In general, all Windows servers are not vulnerable to this exploit, as IIS does not use the OpenSSL library. In addition, if you are running CentOS 5.10, you are most likely not vulnerable to this attack, unless you have specifically updated the OpenSSL library, such as for PCI compliance. However, third party software such as OpenVPN does use open SSL, so we strongly encourage you to ensure that any applications you are using are properly patched.

All CentOS 6 users are potentially vulnerable, and CentOS 6.5 users in particular are definitely vulnerable if not patched. Other operating systems may be vulnerable, depending on the version of OpenSSL they were deployed with. In order to determine if you are in fact affected, you can enter any domain name that has an associated SSL certificate here: http://filippo.io/Heartbleed/ If this testing site returns that your server is in fact vulnerable, there are several steps you will need to take. First and foremost is to patch your version of OpenSSL. This can be accomplished by running the following command as root: yum update *ssl* Next, you will need to restart all services that use OpenSSL. This is most easily accomplished by simply issuing a server reboot. Once this is complete, there are two more critical steps that need to be completed. First, any affected SSL certificates must be revoked and reissued.

If you ordered a Comodo SSL certificate through FORTRESSITX (including DedicatedNOW and Solar VPS), this is a free service. Please contact our Support team at https://mymanagedsupport.com/ so that we may reissue the SSL certificate. If you ordered your own certificate through another Certificate Authority, you will need to contact them directly about this. The second is to change all passwords associated with the server including the root password, all webmail passwords that were secured with SSL, and all user passwords, such as for forums or content management systems that were secured with SSL. Please note that we have already resolved this on our own servers. When we determined that some of our services were in fact vulnerable, we patched the affected servers, and went through the steps to reissue the appropriate SSL certificates.

While we have no evidence of an exploit, we are asking that all of our clients update their passwords for logging into our support sites, as they could have potentially been compromised. For more information about this exploit, please see the official National Vulnerability Database entry about the exploit: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. A more detailed look into the exploit (along with some higher-level overview) can be found here: http://heartbleed.com/ Thank you, FORTRESSITX (The parent company of Solar VPS & DedicatedNOW)