---------------------------------------------------------------------------------------------------------------
EGI BROADCAST TOOL :
https://operations-portal.egi.eu/broadcast
---------------------------------------------------------------------------------------------------------------
Publication from : david kelsey <
[log in to unmask]>
Targets : Generic mailing-list/WLCG Site contacts <
[log in to unmask]>
----------------------------------------------------------------------------------------------------------------
Most EGI users will by now be fully aware of the serious vulnerability in
some versions of the OpenSSL security software. This problem, known as the
Heartbleed bug (also referred to as vulnerability CVE-2014-0160), is
extremely serious and is currently being exploited in the internet at large.
See
http://heartbleed.com/ for more details about this.
** Advice to EGI users **
1) There is a risk that web portals, credential repositories or other
services requiring authentication via username and password may have exposed
that password. We recommend that users change these passwords.
2) The
EGI.eu single-sign-on system and other core
EGI.eu web services were
never vulnerable and we therefore see no immediate need for users to change
their EGI SSO passwords.
3) The EGI security team has assessed the situation and considers it very
unlikely that user-held long-lived private keys of personal IGTF X.509
certificates have been exposed anywhere in the EGI infrastructure. As such we
are *not* recommending a mass renewal of *personal* IGTF X.509 certificates.
Note that guidance on host and service certificates was handled in the EGI
advisory sent on 8th April (see below).
4) If users have questions about any specific service please contact the
service operator through the normal support channels.
Some more details on the EGI handling of this vulnerability follow should you
wish to know more.
The Heartbleed vulnerability was announced to the world on 7th April 2014 and
the EGI security teams defined this to be a "Critical" vulnerability
requiring immediate action. An advisory was sent to all NGI and site security
contacts on 8th April and updated with new information on the 9th April. All
VO Managers were also notified later in the week.
The advisory sent to sites and services was:
https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/OpenSSL-2014-04-08
The EGI security team continues to work with all in the EGI infrastructure to
help find any remaining vulnerable services and to ensure that they are
promptly updated/fixed.
----------------------------------------------------------------------------------------------------------------
link to this broadcast :
https://operations-portal.egi.eu/broadcast/archive/id/1127
----------------------------------------------------------------------------------------------------------------