A serious security flaw has been identified in the OpenSSL cryptographic libraries, with details being first published on 7 April 2014, classified under CVE-2014-0160 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160).
If compromised, this vulnerability can allow an attacker to read the memory of the affected system through repeated “heartbeat” requests, disclosing private keys, user data, and other potentially sensitive information. More details of this vulnerability has been published by one of the discovering organizations, Codenomicon, and can be read on their direct site: http://heartbleed.com.
Upon discovery of this vulnerability, Pexip immediately assessed the nature of the attack and determined that our cryptographic libraries are susceptible to these attacks. The issue was immediately mitigated through upgrading our OpenSSL libraries. These upgrades are included in the Pexip Infinity V4 software release, planned for public consumption on or before 15 April 2014.
We highly recommend that all customers upgrade to Pexip Infinity V4. This will resolve the open issue, so that future attacks will be prevented.
Additional actions - changing passwords
To further protect your deployment, Pexip highly recommends that all passwords – both for the affected system and those in remote contact with the affected system – are changed immediately after upgrading to V4 in order to prevent any compromised information from creating future problems.
Download PDF below for further details.