Comodo advises customers and partners to run latest version of OpenSSL
 

News

The latest news from Comodo

Comodo Advises Customers and Partners to Patch Systems to Run the Latest Version of OpenSSL in Light of 'Heartbleed' Vulnerability.

Vulnerability lies with in flawed OpenSSL implementation, not with Comodo certificates or Comodo CA keys. Comodo offers free replacement of certificates on affected systems with immediate effect.

Clifton, NJ, April 9, 2014 - In light of the recently discovered vulnerability known as ‘Heartbleed’, Comodo CA, a leading Certificate Authority and Internet security organization, would like to advise customers to patch OpenSSL to the latest version and would like to confirm that the vulnerability lies with the OpenSSL software and not with Comodo certificates or Comodo CA keys. Comodo will work with customers, partners, platform vendors and service providers to help ensure affected parties are made fully aware of the issue over the coming days, that customer systems are updated with the fixed version of OpenSSL, and that customers can quickly and easily acquire a certificate reissuance that may be required as a result of patching OpenSSL.

What is the 'Heartbleed' vulnerability?

On Tuesday 8th of April 2014, a serious vulnerability to OpenSSL known as 'Heartbleed' was made public by a team of researchers.

The 'Heartbleed' vulnerability means that it is possible for an attacker to silently 'steal' private keys for SSL certificates, as well as other secret information, on affected versions of OpenSSL.

OpenSSL is an incredibly popular cryptographic software library, and provides SSL/TLS communication for large numbers of applications. The bug causing the vulnerability was introduced to OpenSSL in December 2011 and has been 'in the wild' since the release of OpenSSL 1.0.1 on 14th March 2012. However, it was only discovered within the past day and, other than a proof of concept, Comodo is not aware of any real-world exploits at this point in time.

Full details of the vulnerability, including more technical details, can be found at: http://heartbleed.com/

What is affected?

OpenSSL versions affected: 1.0.1 through to 1.0.1f (inclusive).

The following OpenSSL versions are NOT affected:

1.0.1g

1.0.0 (entire branch)

0.9.8 (entire branch)

The release of OpenSSL 1.0.1g on the 7th April 2014 fixes the bug.

How do I fix it?

Any systems using vulnerable versions of OpenSSL need to be patched or updated.

OpenSSL themselves have released a patch, and many other software vendors have updated their software as well.

Please contact your vendor for further details.

Patch your server before you install your new certificate. If you put a new certificate onto a vulnerable server you risk compromising the key of the new certificate.

Is my site affected?

Customers can test whether they are affected by visiting https://sslanalyzer.comodoca.com/ to verify the presence of this vulnerability.

What about my certificates?

Because there is a theoretical possibility that Heartbleed could already have been exploited, Comodo must replace certificates on systems running the affected OpenSSL version. Certificates on affected systems should be replaced, as soon as possible and the previous certificates should be revoked.

Comodo have ensured that all of our own websites using OpenSSL have been patched and updated, and we have also reissued certificates for those sites as a precautionary measure.

Comodo, unlike other CAs, has a no-charge reissue policy - so replacing your certificate and maintaining the security of your website and your systems is simple and incurs no additional cost.

To perform a reissue, please follow the normal procedures - reissuing via our web-interface, management portal or the APIs.

Should you need any additional assistance, please contact: support@comodo.com or submit a ticket to: https://support.comodo.com/

References:

http://heartbleed.com/

https://www.openssl.org/news/secadv_20140407.txt

About Comodo

The Comodo companies provide the infrastructure that is essential in enabling e-merchants, other Internet-connected companies, software companies, and individual consumers to interact and conduct business via the Internet safely and securely. The Comodo companies offer PKI SSL, Code Signing, Content Verification and Email Certificate; award winning PC Security software;  Vulnerability Scanning services for PCI Compliance; secure e-mail and fax services.   

Continual innovation, a core competence in PKI, and a commitment to reversing the growth of Internet-crime distinguish the Comodo companies as vital players in the Internet's ongoing development. Comodo secures and authenticates online transactions and communications for over 200,000 business customers and 3,000,000 users of our desktop security products. 

For additional information on Comodo - Creating Trust Online® visit Comodo.com

For more information, reporters and analysts may contact:

Comodo
Email: media-relations@comodo.com
Office: +1 (888) 266-6361