As of now, everyone has heard about the Heartbleed bug (vulnerability CVE-2014-0160). There are a number of articles, postings and blogs about the bug and its implications. I have listed below some of the most useful links and articles relating to this vulnerability and managing this situation.
Recommended reading:
The Hacker news has a list of FAQs on this vulnerability, it also includes links to PoC code and sites/ services that check whether a server is vulnerable
http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html#
Bruce Schneier has a very interesting post on Heartbleed and its implications
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
Pentura Labs has a very good writeup and includes instructions for testing if your version of openssl is impacted even if you are offline
http://penturalabs.wordpress.com/2014/04/08/yet-another-heartbleed/
the SANS Diary has some very good posts on this evolving situation
https://isc.sans.edu/diary/The+Other+Side+of+Heartbleed+-+Client+Vulnerabilities/17945
http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc
A large number of servers and devices are impacted, some of the vendor notifications are listed below
http://www.symantec.com/connect/blogs/detect-heartbleed-vulnerability-remediate-and-harden-your-infrastructure-control-compliance-su
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
http://kb.bluecoat.com/index?page=content&id=SA79
https://isc.sans.edu/diary/Heartbleed+vendor+notifications/17929
Even if your main business servers are not impacted, it is possible that a web appliance, phone or networked device on your infrastructure is at risk.
Happy Patching!
Recommended reading:
The Hacker news has a list of FAQs on this vulnerability, it also includes links to PoC code and sites/ services that check whether a server is vulnerable
http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html#
Bruce Schneier has a very interesting post on Heartbleed and its implications
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
Pentura Labs has a very good writeup and includes instructions for testing if your version of openssl is impacted even if you are offline
http://penturalabs.wordpress.com/2014/04/08/yet-another-heartbleed/
the SANS Diary has some very good posts on this evolving situation
https://isc.sans.edu/diary/The+Other+Side+of+Heartbleed+-+Client+Vulnerabilities/17945
http://digital-forensics.sans.org/blog/2014/04/10/heartbleed-links-simulcast-etc
A large number of servers and devices are impacted, some of the vendor notifications are listed below
http://www.symantec.com/connect/blogs/detect-heartbleed-vulnerability-remediate-and-harden-your-infrastructure-control-compliance-su
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
http://kb.bluecoat.com/index?page=content&id=SA79
https://isc.sans.edu/diary/Heartbleed+vendor+notifications/17929
Even if your main business servers are not impacted, it is possible that a web appliance, phone or networked device on your infrastructure is at risk.
Happy Patching!
No comments:
Post a Comment