You may have recently heard about the “Heart Bleed” vulnerability; this update is to provide you a status on Lithium’s remediation plan. We have been working around the clock soon after the vulnerability was announced to remediate this issue. Details on this issue are available at http://heartbleed.com/ .
Our remediation plan was to:
Upgrade OpenSSL to version 1.0.1g,
Update signatures for IDS security devices
Rekey exposed SSL certificates.
Steps 1 and 2 were obvious, but rekeying the SSL certificates was done as a safety precaution. We have completed all 3 steps as of yesterday 4/9/2014.
The patching and IDS signatures were completed on 4/8/14.
The Lithium SSL certificate rekey process was completed on 4/9/14.
Are All Customers Sites Safe Now?
Yes, all customer sites are now safe from this vulnerability. All customers sites have a safe version of OpenSSL running. All customers using Lithium SSL certificates have been rekeyed. Customers that are not using Lithium SSL certificates will be notified separately to supply new SSL certificates if they choose to do so.
Were Any Sites Compromised?
Unfortunately due to the nature of this vulnerability it’s impossible to detect any compromise attempts before the security measures were implemented. We have taken all necessary steps to make sure the security flaw was resolved promptly.
What Else Can Customers Do?
As an optional step, customers that are highly security sensitive might consider resetting community passwords, at least for any high privileged accounts such as moderators and admins.
For any questions or concerns please contact Lithium Customer Support.
... View more