Vulnerability in OpenSSL (Heartbleed)
The community found the buffer over-read vulnerability "heartbleed" in the open-source OpenSSL cryptography library. OpenSSL is used as basic library to ensure secure communication and used in much software. This vulnerability may cause the attacker to allow theft of the server's private-key and user's session cookies and pas sword.
The attacker may do following attacks if the server is vulnerable to this bug,
- Spoofing (If the attacker steals user's ID and password)
- Unauthorized decryption of encrypted communication (If the attacker steals the server's private-key)
The servers and services which is managed by SFC-CNS, ITC are already patched or disabled the bug within days of its announcement. Until now we have not found any thefts of the information, but we will watch this situation carefully to prevent further attacks.
Resolution
Mentioned above, we already patched or disabled this bug already. However taking account of this bug's importance and the invisible attacks, there's possible user's password theft. We recommend the user to take following action to prevent further attacks.
- Change of the password Since there's possible user's password theft, we would recommend users to change the password of CNS account, IMAP/SMTP Auth password.
Request for the user who manages any servers
Since this bug's severity, we would request any users who manage any servers, which are vulnerable to this bug to take action to this vulnerability. Please refer following website and take proper actions to this vulnerability immediately.
The user affected to this issue
Last-Modified: May 8, 2014
The content ends at this position.