2014-04-08 Instructure Advisory IAC83502 - HeartBleed TLS Vulnerability

jordan
Instructure Alumni
Instructure Alumni
‎09-22-2015 01:25 PM
0
985

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-04-08  (Last update can be found below the document title)
  Description:Update on CVE-2014-0160 (aka "the heartbleed bug")
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Potential Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Closed/Resolved
  Discovered By:IT security teams at Codenomicon and Google
  Relevant Changesets:

DOUBLE_CLICK_TO_ENTER_RELEVANT_CHANGESETS

Summary:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing theinformation protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Status:

Amazon has confirmed that all vulnerable hosted services have been patched against the heartbleed bug. All SSL certificates and private keys for the *.instructure.com top level domain were replaced at 12:00 PM MT on April 10, 2014. We continue to work with organizations that have "vanity" URLS (e.g. canvas.organization-name.com) to replace their SSL certificates and private keys.

Further Information:

http://heartbleed.com/

http://www.openssl.org/news/secadv_20140407.txt (published 7th of April 2014, ~17:30 UTC)

http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities (published 7th of April 2014, ~18:00 UTC)

http://heartbleed.com (published 7th of April 2014, ~19:00 UTC)

http://www.ubuntu.com/usn/usn-2165-1/

http://www.freshports.org/security/openssl/

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

https://rhn.redhat.com/errata/RHSA-2014-0376.html

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.

https://lists.fedoraproject.org/pipermail/announce/2014-April/00320.

http://www.kb.cert.org/vuls/id/720951

https://www.cert.fi/en/reports/2014/vulnerability788210.html

https://www.cert.at/warnings/all/20140408.html

http://www.circl.lu/pub/tr-21/

0 Likes