5/7/2023 0 Comments Openssl heartbleed![]() ![]() However, since this vulnerability made it possible for an attacker to compromise a private key for an extended period of time, we strongly suggest that you create a new private key and update your endpoint. ![]() We have worked with our infrastructure provider to update OpenSSL on all SSL Endpoints. We do not have any evidence that passwords have been compromised, but given the amount of time that this vulnerability was in existence the safest thing to do for your account is to rotate your Heroku credentials. We encourage all Heroku users to update their Heroku account passwords. Since this vulnerability potentially exposes the private key used for encryption, we strongly advise that you replace both the private key and certificate as soon as possible. This vulnerability can be remotely exploited to leak encryption secrets from Heroku applications, allowing an attacker to retrieve the private key used for SSL encryption and decode data obtained by intercepting traffic. Continue reading for further details on each affected vector. As of Tuesday, April 8 at 15:55 UTC, all Heroku certificates, infrastructure, and Heroku Postgres have been updated and are no longer vulnerable. If you are currently running the SSL Endpoint add-on, you should re-key and reissue your certificate and update it as it may have been exposed. Yesterday the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, nicknamed “Heartbleed.” This serious vulnerability affects a substantial number of applications and services running on the internet, including Heroku.Īll Heroku users should update their passwords as a precautionary measure.
0 Comments
Leave a Reply. |