Applications and Services Affected by the Heartbleed OpenSSL Vulnerability
Many University constituents are concerned about which applications and services they use that might be affected by the "Heartbleed”/OpenSSL vulnerability that was discovered on April 7th. This message gives some context and advice on how to determine which services are vulnerable and what to do if they are.
University-run applications and services
Penn's CoSign WebLogin service, the primary web-based authentication method used by Penn websites, is not vulnerable to this issue. Neither are other parts of Penn's central identity and access management infrastructure (e.g., wireless authentication portals).
Any Penn computers determined to be vulnerable were reported immediately and are being patched as quickly as possible. When they are patched, users of these services will be contacted by the system owner if a password change is recommended.
One University-supported desktop application, WS_FTP Professional 12.x, is currently known to be vulnerable, and is being patched. An updated installer will be made available as soon as possible.
University-affiliated applications and services
The University does business with thousands of third party vendors, and each one may respond differently to the vulnerability. If you have third-party applications or systems that you are concerned about, the first step is to check with the vendor directly, and determine if they were vulnerable, and if so if they have remediated the problem and whether or not they recommend any additional action for users.
Penn has already determined the status of several key University partners, including:
- Amazon Web Services has many components, many of which were was generally not vulnerable, with some specific exceptions noted here:
- Box has patched the vulnerability. If you were not using the University’s single sign-on as your only way to log into Box, a password change is recommended.
- Google has patched the vulnerability. A password change is recommended. Talk to your Local Support Provider if you have questions or concerns about this.
Other applications and services
CNET (a respected technology news site) is maintaining a list of the top 100 most used web sites, whether they were vulnerable, and whether they have been patched. If a site was vulnerable and has been patched, a password change is recommended. Another good reference is a Mashable article.
Of course, many less popular sites also will need to patched.
For more information
It is a good time to remember that periodic password resets are a best practice all the time, as is having unique passwords between different critical accounts. We continue to encourage all Pennkey holders to enroll in Two-Step Verification
which would mitigate this risk, as well as other attacks (such as phishing)
Finally, be on the lookout for fraudulent email claiming to be from companies with which you do business (including Penn), as criminals may use this event to create phishing email messages designed to trick people into divulging their passwords. No legitimate party from Penn will ever ask you to share your password, and if a campaign to change PennKey passwords was ever initiated, it would be well-communicated and easily verifiable.