Dear All,

GridPP and WLCG operate as part of the European Grid Infrastructure (EGI). Our follow-up and handling of issues related to the OpenSSL Heartbleed vulnerability, of which you are no doubt already aware (http://heartbleed.com/), is therefore being coordinated as part of the EGI Security Team wide response. 

Our sites have been very active since the vulnerability was announced and from a core infrastructure perspective we have done everything we can to minimise continued exposure. Alongside this work, various experts have been assessing and discussing what needs to happen from a user perspective. That team have now issued advice to users in the form that I forward with this message (sorry for any duplication with other communications you have received). I would be grateful if you could take a few minutes to review the advice - thank you.

If you have any questions related to this message please direct them to: [log in to unmask]. This is the same email address to which suspected or actual security incidents on our infrastructure should be reported.

regards,
Jeremy Coles
GridPP operations

Begin forwarded message:

From: EGI BROADCAST <[log in to unmask]>
Subject: [ EGI BROADCAST ] OpenSSL Heartbleed vulnerability - advice to EGI users
Date: 16 April 2014 11:27:00 BST
To: Generic mailing-list/WLCG Site contacts <[log in to unmask]>

---------------------------------------------------------------------------------------------------------------
EGI BROADCAST TOOL : https://operations-portal.egi.eu/broadcast

---------------------------------------------------------------------------------------------------------------
Publication from : david kelsey <[log in to unmask]>
Targets : Generic mailing-list/WLCG Site contacts <[log in to unmask]>
----------------------------------------------------------------------------------------------------------------



Most EGI users will by now be fully aware of the serious vulnerability in
some versions of the OpenSSL security software. This problem, known as the
Heartbleed bug (also referred to as vulnerability CVE-2014-0160), is
extremely serious and is currently being exploited in the internet at large.

See http://heartbleed.com/ for more details about this.

** Advice to EGI users **

1) There is a risk that web portals, credential repositories or other
services requiring authentication via username and password may have exposed
that password. We recommend that users change these passwords.

2) The EGI.eu single-sign-on system and other core EGI.eu web services were
never vulnerable and we therefore see no immediate need for users to change
their EGI SSO passwords.

3) The EGI security team has assessed the situation and considers it very
unlikely that user-held long-lived private keys of personal IGTF X.509
certificates have been exposed anywhere in the EGI infrastructure. As such we
are *not* recommending a mass renewal of *personal* IGTF X.509 certificates.
Note that guidance on host and service certificates was handled in the EGI
advisory sent on 8th April (see below).

4) If users have questions about any specific service please contact the
service operator through the normal support channels.

Some more details on the EGI handling of this vulnerability follow should you
wish to know more.

The Heartbleed vulnerability was announced to the world on 7th April 2014 and
the EGI security teams  defined this to be a "Critical" vulnerability
requiring immediate action. An advisory was sent to all NGI and site security
contacts on 8th April and updated with new information on the 9th April. All
VO Managers were also notified later in the week.

The advisory sent to sites and services was:

https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/OpenSSL-2014-04-08

The EGI security team continues to work with all in the EGI infrastructure to
help find any remaining vulnerable services and to ensure that they are
promptly updated/fixed.

----------------------------------------------------------------------------------------------------------------
link to this broadcast :
https://operations-portal.egi.eu/broadcast/archive/id/1127
----------------------------------------------------------------------------------------------------------------