CERT-UK is aware of reports of a vulnerability (CVE-2014-1060 also known as the ‘Heartbleed Bug’) affecting versions 1.0.1-1.0.1f of the OpenSSL cryptographic library. This potentially permits the stealing of information normally protected by SSL/TLS encryption, and could affect applications used for web hosting, email, instant messaging and virtual private networks. This could include sensitive information such as secret keys, user credentials and traffic content. The vulnerability may have existed since as early as December 2011. Further detail is available here and in OpenSSL’s recent post.
Organisations running vulnerable versions of OpenSSL libraries should upgrade to 1.0.1g as soon as possible.
Further information has been made available to members on the Cyber-security Information Sharing Partnership portal.