Advisory ID:
SA-2014-1
Version:
all versions
Security risk:
Highly critical
Exploitable from:
Remote
Vulnerability:
Memory leak in OpenSSL library

Normally, SimpleID security advisories only relate to vulnerabilities found in the SimpleID software. However, due to the seriousness of this vulnerability, it is reposted here to assist in wide dissemination.

Description

A security vulnerability has been reported for the OpenSSL cryptographic library (CVE-2014-0160), popularly known as the Heartbleed Bug. The vulnerability allows access to sensitive information including user names and passwords entered by users, as well as the private key used to secure communication with the web server.

OpenSSL is used by many web servers to provide SSL/TLS encryption. If you use SSL/TLS (HTTPS) to encrypt your connection to the SimpleID server, and your web server uses OpenSSL, you may be vulnerable to this attack.

Versions affected

  • All versions of SimpleID, if SimpleID is accessed using SSL/TLS (HTTPS) and the web server uses OpenSSL for SSL/TLS encryption

Solution

  • Update your web server software. Further instructions for various Linux distributions can be found below.

  • Revoke old SSL certificates

  • Install new SSL certificates with a new private key

  • Clear the SimpleID cache directory

  • Change the password store in all users’ identity files

Further information