Important Information Regarding OpenSSL Security Flaw

14.04.2014

A security flaw has been discovered in some versions of OpenSSL, that allowed leak of the data stored in the web server’s memory, including private key, during the initialization of connection.

The software versions affected with the security flaw are OpenSSL 1.0.1 to 1.0.1f. The flawed versions were distributed since March 14th 2012. It was fixed on April 7th 2014 in OpenSSL version 1.0.1g. Other versions or branches of OpenSSL are not affected by the flaw.

The security flaw enables access to server or client keys, user passwords, transported (encrypted) data, etc. Normally there are no records of utilization of this flaw in the server logs, which results in undetected successful attacks even against web sites that require ID-card authentication.

The security flaw discovered has been officially assigned a CVE (Common Vulnerabilities and Exposures) number CVE-2014-0160. This link contains also detailed technical description and references to operating system manufacturers’ pages containing download links to security patches. More information regarding the security flaw can be found at heartbleed.com.

Although most of the web browsers are not using OpenSSL, we recommend that all users verify if the latest versions of software is being used and the latest updates are installed. We also recommend the change of passwords used in web services (Facebook, Gmail, Yahoo, Dropbox, etc.)

None of SK’s services or servers (digidocservice.sk.ee, digidoc.sk.ee, sk.ee) have been using the flawed version of OpenSSL. We emphasize that the security flaw is affecting only OpenSSL software and not protocols or cryptography. The users of ID-card, Mobile-ID and Digi-ID are not affected, therefore there is no need for certificate updates.

previous next