|Release Date:||2014-04-08 (Last update can be found below the document title)|
|Description:||Update on CVE-2014-0160 (aka "the heartbleed bug")|
|Criticality Level:||Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )|
|Impact:||Potential Exposure of Sensitive Data|
|Systems Affected:||Canvas LMS|
|Discovered By:||IT security teams at Codenomicon and Google|
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing theinformation protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Amazon has confirmed that all vulnerable hosted services have been patched against the heartbleed bug. All SSL certificates and private keys for the *.instructure.com top level domain were replaced at 12:00 PM MT on April 10, 2014. We continue to work with organizations that have "vanity" URLS (e.g. canvas.organization-name.com) to replace their SSL certificates and private keys.
http://www.openssl.org/news/secadv_20140407.txt (published 7th of April 2014, ~17:30 UTC)
http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities (published 7th of April 2014, ~18:00 UTC)
http://heartbleed.com (published 7th of April 2014, ~19:00 UTC)