- Advisory ID:
- all versions
- Security risk:
- Highly critical
- Exploitable from:
- Memory leak in OpenSSL library
Normally, SimpleID security advisories only relate to vulnerabilities found in the SimpleID software. However, due to the seriousness of this vulnerability, it is reposted here to assist in wide dissemination.
A security vulnerability has been reported for the OpenSSL cryptographic library (CVE-2014-0160), popularly known as the Heartbleed Bug. The vulnerability allows access to sensitive information including user names and passwords entered by users, as well as the private key used to secure communication with the web server.
OpenSSL is used by many web servers to provide SSL/TLS encryption. If you use SSL/TLS (HTTPS) to encrypt your connection to the SimpleID server, and your web server uses OpenSSL, you may be vulnerable to this attack.
- All versions of SimpleID, if SimpleID is accessed using SSL/TLS (HTTPS) and the web server uses OpenSSL for SSL/TLS encryption
Update your web server software. Further instructions for various Linux distributions can be found below.
Revoke old SSL certificates
Install new SSL certificates with a new private key
Clear the SimpleID cache directory
Change the password store in all users’ identity files