Heartbleed OpenSSL Vulnerability

The TLS implementation in OpenSSL 1.0.1 before 1.0.1g does not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, potentially disclosing sensitive information.

The Heartbleed vulnerability allows attackers to read up to 64KB of server memory per malformed heartbeat request without authentication or leaving traces in server logs. Attackers repeatedly exploit the buffer over-read to extract sensitive data including private encryption keys, session tokens, passwords, and confidential user data from process memory. Compromised private keys enable attackers to decrypt past and future TLS traffic, impersonate the server, or forge digital signatures. The vulnerability affects a vast number of internet-facing servers and requires minimal technical sophistication to exploit using publicly available tools.

Update to OpenSSL 1.0.1g or later. Re-issue HTTPS certificates. Change asymmetric private keys and shared secret keys, since these may have been compromised, with no evidence of compromise in the server log files.