A major vulnerability was uncovered yesterday which affects a majority of web service providers. The exploit is related to OpenSSL’s heartbeat extension which could enable a malicious attacker to access private keys. The bug has been present in OpenSSL since December 2011, and was brought to light yesterday. You can find more information about the exploit termed “Heartbleed” (CVE-2014-0160) here.
Our operations team reacted immediately to this and has taken the necessary steps to secure our infrastructure, ensuring the appropriate secure versions of OpenSSL are in place.
We strongly encourage our partners who are running servers of their own which depend on OpenSSL to do one of the following:
- Upgrade your servers to the latest version with the vulnerability fixed (or)
- Recompile with OPENSSL_NO_HEARTBEATS flag for older versions.
The following is the current status of OpenSSL versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
- OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
Note that TokBox uses non-vulnerable versions. We hope that this answers any questions you may have about the impact of CVE-2014-0160 on your OpenTok applications.
The TokBox Team