Knowledgebase: Security
Security Alert : OpenSSL Vulnerability/Bugs (Heartbleed) on SSL websites [INFO]
Posted by on 07 May 2014 02:06 PM
ATTENTION:  All SSL Encryption websites owners/admins using OpenSSL
 
Dear valued customers,
 
Our security team found out about new widespread of Encyption SSL bug called "Heartbleed".
 
"Heartbleed Bug" vulnerability was discovered in OpenSSL library, which is widely used to implement the Internet's Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
 
The bug causes server vulnerability due to a missing bounds check in the handling of the TLS heartbeat extension. To learn more about the bug visit http://en.wikipedia.org/wiki/Heartbleed. Heartbleed was publicly disclosed on the April 7, 2014, the same day a fixed OpenSSL version was released.
 
Customer are advised to take precautions and follow the instructions below:
 
1) Upgrade OpenSSL.
2) Revoke ALL SSL certificates.
3) Regen all SSL priv keys.
4) Get new certificates from SSL vendor.
 
For verify if your website was affected, you may use  this Tool.
 
Do get back to us if you have any further concerns or queries.
Thank you.
 
 
Regards,
Angeline C.
Customer Care
-------------------------------
247 LiveSupport Department
- http://247livesupport.biz -
* Thank you for using 247LiveSupport System *

SUPPORT ESCALATION PROCEDURE
We stand behind our products and services. If there are serious problems that are impacting your business and you are not getting help through regular channels, you can contact our CEO, Terence C. directly at ceo@247livesupport.biz.
 
 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
 
Email Announcement from SSL Provider: Thawte
 
 
Dear valued customers,
 
Thawte is aware of the vulnerability, dubbed “Heartbleed”, which is a security concern for users of OpenSSL, a widely-used open source cryptographic software library. It can allow attackers to read the memory of the systems using vulnerable versions of OpenSSL library (1.0.1 through 1.0.1f). This may disclose the secret keys of vulnerable servers, which allows attackers to decrypt and eavesdrop on SSL encrypted communications and impersonate service providers. In addition, other data in memory may be disclosed, which conceivably could include usernames and passwords of users or other data stored in server memory.
 
To be clear, this is a vulnerability of the OpenSSL library, and not a flaw with SSL/TLS nor certificates issued by Thawte. At no time were Thawte’s SSL or Code-Signing roots and intermediates at risk, nor was there ever an issue with Thawte certificates.

Steps to Success:
 
Identify if your web servers are vulnerable (running OpenSSL versions 1.0.1 through 1.0.1f with heartbeat extension enabled). Use our SSL Toolbox to detect this. If you’re running a version of OpenSSL prior to 1.0.1, no further action is required.
 
If your server is impacted, update to the latest patched version of OpenSSL (1.0.1g), or recompile OpenSSL without the heartbeat extension.
 
Generate a new Certificate Signing Request (CSR).
 
Reissue any SSL certificates for affected web servers using the new CSR (do this after moving to a patched version of OpenSSL).
 
Install the new SSL certificate and test your installation.
 
After the new certificate is successfully installed, revoke any certificates that were replaced.
 
Website administrators should also consider resetting end-user passwords that may have been visible in a compromised server memory.
Always refer back to the Knowledge Base for more information.

If you have additional questions, please contact us for further support and more information.

Best Regards,
Tom Powledge
VP, Trust Services
 
 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
 
Email Announcement from Shared Hosting Team

 

Dear Valued Customer,

The recently discovered Heartbleed bug exposed a gaping hole in the security software that's supposed to keep your information private while shopping, managing your finances or sending and reading email. While there still aren't any signs that the bug has actually led to eavesdropping or theft—financial, identity or otherwise—it's probably only a matter of time.

More information about Heartbleed bug can be found here :-

http://www.thestarphoenix.com/technology/What+Heartbleed+should+worried/9720665/story.html

The good news is that there are ways you can protect your information from thieves and snoops. The bad news is that they're simple but not necessarily easy.

Our Server Administrator have patched everything that is needed to protect users from this bug. However, all users must do the following to keep their website information safe.

1) Change your passwords on those sites immediately such as WordPress, cPanel and other logins related to your website.

2) Please get your SSL to be re-issued. In case if it was purchase from us, do contact and get our SSL Department's help to reissue it for you.

To check if the server you are hosted in has been patched, you can test your website via following URL :-

https://filippo.io/Heartbleed/

 

Regards
Angeline C.
Customer Care
-------------------------------
247 LiveSupport Department
- http://247livesupport.biz -
* Thank you for using 247LiveSupport System *

SUPPORT ESCALATION PROCEDURE
We stand behind our products and services. If there are serious problems that are impacting your business and you are not getting help through regular channels, you can contact our CEO, Terence C. directly at ceo@247livesupport.biz.
 
 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
 
Security Advisor from Parallels
 

Please read this message in its entirety and take the recommended actions.

Situation

The OpenSSL group issued a vulnerability alert on April 7, 2014. You can find more information at the OpenSSL website and at http://heartbleed.com/.

Impact

A vulnerability in OpenSSL could allow unauthorized access to application memory that uses SSL/HTTPS protocols. This may expose sensitive information and potentially compromise certificates, passwords, cookies and other elements.

Parallels Products Impacted

The following products are potentially affected because they are based or installed on operating systems impacted by OpenSSL CVE-2014-0160 vulnerabilities:

  • Parallels Cloud Server
  • Parallels Server for Bare Metal
  • Parallels Virtual Automation
  • Parallels Plesk Panel
  • Parallels Web Presence Builder
  • Parallels Sitebuilder
  • Parallels Business Automation Standard
  • Parallels Automation
  • Parallels Plesk Automation

How to verify if your system is vulnerable:

OpenSSL versions 1.0.1 through 1.0.1f (inclusive) are vulnerable.

These versions are shipped in the following systems:

  • RHEL6.5, OpenSSL 1.0.1e-15
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • CloudLinux 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

Solution

The OpenSSL group has published a solution at http://heartbleed.com/.

Call to Action

In addition to the posted solution we have provided Knowledgebase articles to help you:

Parallels takes the security of their customers very seriously and encourages you to take the recommended actions as soon as possible.

 

Regards
Angeline C.
Customer Care
-------------------------------
247 LiveSupport Department
- http://247livesupport.biz -
* Thank you for using 247LiveSupport System *

SUPPORT ESCALATION PROCEDURE
We stand behind our products and services. If there are serious problems that are impacting your business and you are not getting help through regular channels, you can contact our CEO, Terence C. directly at ceo@247livesupport.biz.

(1 vote(s))
Helpful
Not helpful

Copyright © 1998 - 2018 Shinjiru International Inc. All Rights Reserved.