Heartbleed -- the xTuple Response
Earlier this week, security experts revealed a significant flaw in a widely used Internet security product called OpenSSL. The bug, called Heartbleed, is a vulnerability in systems that use OpenSSL to encrypt information over SSL connections. OpenSSL is used on about two-thirds of the Internet servers in the world, so the impact of this bug is very widespread. The existence of this bug does not mean that any specific private information has in fact been stolen, but it does mean that it could have been stolen, and all sites that employ the OpenSSL encryption library must implement a security patch immediately, as well as perform a number of other security-related updates, to protect against Heartbleed.
xTuple has taken the following actions to update our servers, secure our data, and protect our customers:
- The day after the information on Heartbleed was released, xTuple replaced the OpenSSL code on our servers with an updated version that does not contain the bug.
- We have revoked and reissued all SSL certificates for our servers, to remove any lingering vulnerability.
- We are informing our user community of our actions and recommending that you update your passwords.
What should you do?
This is not fun, we know, but the potential impact of this bug is quite serious and affects thousands of websites around the Internet, including ours. Now that we have updated our SSL certificates, you should update the passwords you use to connect to xTuple sites and services. You should also update any passwords you use to connect to any other Internet service, including Google, Facebook, Amazon, etc., as they all have been affected by this bug.
Want to know more?
If you want to learn more about Heartbleed, read the information posted by Codenomicon, the security firm that first exposed this bug.
Sat, 04/12/2014 - 10:47#1
WHAT DO WE NEED TO DO OURSELVES?
Thanks, BC, for advising the xTuple community. In addition to the xTuple website, here is a task list developed from a trusted source I follow, Mashable, on passwords you need to change right now (if you know of others, please list them in a comment):
- Change your user password on xTuple website
- Change your password on the following websites (and do not use the same one):
- Amazon Web Services
- Sites that tell us we do NOT need to change passwords:
- Government and Taxes
- Password Managers (1Password, Dashlane, LastPass)
- Wordpress (unclear)