You are here

Apache 2.4.9 servers released to address Heartbleed Vulnerability

Subscribe to Syndicate

A important vulnerability has been identified in OPENSSL version 1.0.x called Heartbleed.

It is very serious and much has been written about it on the web as it potentially affects many many many web sites. The main impact is that your SSL certificates may have been compromised. If somebody has gained access to your sites SSL certificate through this surreptitious mean, it could mean some of your clients passwords have been taken through watching traffic to/from your web site.

NOTE: if you are still using a version of apache with openSSL 0.9.x, you are not vulnerable to this issue.

The suggested course of action is

  1. Upgrade Apache to 2.4.9 using the process to Upgrade Apache.
    • This contains OpenSSL 1.0.1g to address the specific 'Heartbleed' problem.
    • It removes the vulnerability completely from this point forward
    • This means that you should do it right away and then move on to step 2
  2. Get a revised SSL certificate from GEOTRUST.
    • Artsman will contact GEOTRUST on your behalf and working on a process to get a replacement SSL certificate reissued.
    • This will occur in conjunction with us updating your server or on the near future.
  3. Given the nature of the vulnerability, it has been suggested on some web sites that you inform your patrons about the issue. The reason is simple:
    • Many people use the same password on may sites like facebook, amazon, their bank web site, theatre manager, etc.
    • If *ANOTHER* web site like their bank is compromised by this vulnerability, they represent a high value target.
    • If the *Bad Guys* get a password from a high value site, then they may assume its valid at other places your patron may visit
    • Hence why even if there has not been a compromise at your web site, it could be another web site that leads your patrons to have issues, and safety is of utmost importance.

This vulnerability has been in existence for over a year -- and has only recently been exposed. In other words, nobody knew it existed or could be exploited. This is why it is important to close it up as soon as possible.

Note: If you are still using Apache 2.2.x as part of your Theatre Manager setup, you DO NOT HAVE THIS VULNERABILITY. Unfortunately, you would not be PCI compliant and we'd suggest updating anyway.