OpenSSL Heartbeat Vulnerability (aka: Heartbleed)

As most of our users are by now no doubt aware, on April 7th a serious vulnerability was announced in recent versions of OpenSSL.  Dubbed Heartbleed, CVE-2014-0160  allows a remote attacker to read potentially sensitive data on the server. This vulnerability has had a widespread impact on many providers.  We take security and the trust our customers place in us extremely seriously and so we wanted to take this opportunity to explain the steps we have taken over the last few days to address Heartbleed here at Solano.

Our incidence response began immediately with the release of CVE-2014-0160.  We do use SSL/TLS to secure communications between our customers and the service and between components of the service and we do use the OpenSSL implementation.  The response team began by upgrading all parts of our infrastructure, including the front end website, the core API and control plane, database servers, test environments, and ancillary services (issue trackers, workstations, and so on).  We then scheduled a downtime for the evening of April 8 to replace all of our certificates and revoke the previous certificate.  We are not aware of any compromise of the old certificate, but given the severity of CVE-2014-0160 we believe it is a best practice in this case to rekey all servers.

We continue to monitor the situation and strongly recommend that all users change their authentication tokens not only on Solano services but also with any other providers that they may use.

In summary:

  • All of our infrastructure was patched on 4/7 no later than 8pm PT
  • Fresh, re-keyed certificates were installed across our infrastructure by 4/8 11pm PT.
  • All logged in sessions were invalidated and reset after infrastructure updates

We do use Amazon Web Services to host much of our infrastructure but do not use AWS Elastic Load Balancers (ELB) to terminate SSL.  For AWS-specific information, we recommend reading Amazon’s detailed security advisories.

If you have any questions or concerns that are not addressed here, please contact us at

Post a Comment