2

Are magento sites affected by heartbleed bugs and if yes what can I do for mitigation?

Tim Bezhashvyly
  • 11,575
  • 6
  • 43
  • 73
Vishal
  • 367
  • 6
  • 15

2 Answers2

5

Heartbleed is server software (OpenSSL) bug so it's more like a server vulnerability.

Here is the link to check if your server is affected: http://filippo.io/Heartbleed/

The fix is just to upgrade OpenSSL to the newer version.

You can also mail your Magento customers asking for password change but this will be more of a panic.

Tim Bezhashvyly
  • 11,575
  • 6
  • 43
  • 73
  • 1
    This hopefully goes without saying, but in at least three instances I've encountered folks upgraded OpenSSL and forgot to restart the servers. – kojiro Apr 13 '14 at 12:26
1

Tim is correct, but I think the "panic" is correct.

Heartbleed opened your openSSL memory to the public, this means, everybody was able to read 16kb chunks of your memory. In this memory are stored:

  • private keys
  • request data
  • response data

This means, you have at least to upgrade your openssl version (as Tim said) AND change your private key!

Beside of this, attackers might be able to read the password and username, therefore resetting the passwords for all users is a good idea.

Fabian Blechschmidt
  • 35,388
  • 8
  • 75
  • 182