The Heartbleed Bug is a serious vulnerability recently discovered in the widely used OpenSSL cryptographic software library. Although OpenSSL is not directly used in Magento, it’s used on many web servers Magento is run on, providing support for secure (!) connections and transmission of sensitive data. In short – if your Magento website is properly configured, it’s very likely that your checkout process utilizes OpenSSL library at some point. Concerned?! You should be…
Heartbleed bug allows stealing of the information protected by the SSL/TLS encryption used to secure checkout process on, under normal circumstances, properly configured Magento store. Yes, it’s scary as it sounds, and yes – vulnerability is global and widespread, but don’t panic (just yet ;-)).
More information can be found in this nice video by Elastica security.
Many hosting providers have upgraded OpenSSL library, thus eliminating possible exploitation of the bug – but perform a check on your own.
1. Check for vulnerability
There are few online sites/tools that can be used to check whether your Magento site is affected by Heartbleed vulnerability:
2. How to fix?
Upgrade your OpenSSL library, or force your hosting provider to do so (if not yet done).
2.1. if you manage your own server, perform openssl update
yum update openssl
apt-get upgrade openssl
Important: restart ALL your services that use openSSL [httpd, webmin, postfix, openvpn, etc.]
2.2. if you have SSH access to your server, but don’t manage your server, check:
your openssl version:
openssl version -a
look for built on: date, if it is past 7th of April 2014. – you should be safe
3. What next?
There is no way to know if your site has been affected or exploited with this bug, so as a measure of precaution you should change all relevant passwords on your site and update all your SSL keys.
More info on Heartbleed bug can be found over here