What steps should I take for OpenSSL (Heartbleed) remediation?

ACCC scanned all of its internal networks to look for hosts running a vulnerable version of the openSSL software. We identified approximately 25 machines with vulnerable versions of the software and immediately patched the software.

Although patching the systems resolves the immediate vulnerability, we will be updating private keys and installing new certs on all of the affected systems in the next few days.

In addition, ACCC Security has scanned the campus networks and identified a number of vulnerable systems in other campus units. We will be notifying the Network Security Liaisons that have vulnerable systems shortly.

To remediate this vulnerability we recommend taking the following course of action.

1- Update to the latest version of OpenSSL or recompile with the option

- -DOPENSSL_NO_HEARTBEATS

2- Create new private keys

Your old keys may have been compromised and new keys should be created before generating new CSRs and requesting new SSL certificates

3- Request and install new SSL certificates

New 1 or 3 year certificates may be ordered through the web store at webstore.illinois.edu

4- Request revocation of your old SSL certificates

When requesting your new certificates, please clearly indicate you wish to revoke your old SSL certificates

More information about the Heartbleed vulnerability may be found in the following article.

www.pcworld.com/article/2140920/heartbleed-bug-in-openssl-puts-encrypted-communications-at-risk.html

If you have any questions, please contact ACCC Security at security@uic.edu

Need help?

Last updated: 

April 10, 2014

Browse by tag