OpenSSL Heartbleed Security Update

Yesterday the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, nicknamed “Heartbleed.” This serious vulnerability affects a substantial number of applications and services running on the internet, including Heroku.

All Heroku users should update their passwords as a precautionary measure. If you are currently running the SSL Endpoint add-on, you should re-key and reissue your certificate and update it as it may have been exposed. As of Tuesday, April 8 at 15:55 UTC, all Heroku certificates, infrastructure, and Heroku Postgres have been updated and are no longer vulnerable. Continue reading for further details on each affected vector.

Vulnerability Details

This vulnerability can be remotely exploited to leak encryption secrets from Heroku applications, allowing an attacker to retrieve the private key used for SSL encryption and decode data obtained by intercepting traffic. Since this vulnerability potentially exposes the private key used for encryption, we strongly advise that you replace both the private key and certificate as soon as possible.

Your Heroku Password

We encourage all Heroku users to update their Heroku account passwords. We do not have any evidence that passwords have been compromised, but given the amount of time that this vulnerability was in existence the safest thing to do for your account is to rotate your Heroku credentials. You can reset your Heroku password here.

Custom Domain SSL

We have worked with our infrastructure provider to update OpenSSL on all SSL Endpoints. However, since this vulnerability made it possible for an attacker to compromise a private key for an extended period of time, we strongly suggest that you create a new private key and update your endpoint. Please contact your SSL certificate provider if you have questions about generating a new private key.

For customers of our legacy Hostname SSL, please upgrade to the current SSL Endpoint add-on.

The *.herokuapp certs have been rekeyed and updated, meaning we sent new certificate requests (CSR) to our CA signed with new private keys, but with the same info. This is why you will not see new dates when checking the cert.

Important Note: We advise you to not get your certificate reissued until you are ready to update your endpoint. Once you issue a new private key, your certificate provider may invalidate your previous certificate.

Heroku Certificates

Since this attack could have potentially exposed our own certificates, we've obtained new certificates for Heroku properties as a precaution.

Heroku Postgres

All Heroku Postgres instances used the affected version of OpenSSL. This affects the libpq SSL connection, which we require on all Postgres databases to ensure your data is safe. Upon discovery, we rolled out a new version of OpenSSL, then restarted the Postgres process and other processes using OpenSSL. As a result, this update may have resulted in a few seconds of downtime for your database.

As an extra precaution, we encourage you to update your database credentials with heroku pg:credentials HEROKU_POSTGRESQL_COLOR --reset

Summary

As of Tuesday, April 8 at 15:55 UTC, all Heroku certificates, infrastructure, and Heroku Postgres have been updated and are no longer vulnerable to CVE-2014-0160 vulnerability, nicknamed “Heartbleed.”

All Heroku users should update their passwords as a precautionary measure. If you are currently running an ssl:endpoint endpoint, you should re-key and update your certificate as your private key or other data may have been exposed. If you are running the legacy SSL hostname add-on, you should migrate to SSL endpoint.

While we're confident that all of the aforementioned vectors have been addressed, we are continuing to monitor the situation and have a heightened eye to potential abuse on the Heroku platform.

Thank you for your patience while we worked on resolving this issue. As always, please don’t hesitate to let us know if you have any additional questions or concerns.

Browse the blog archives or subscribe to the full-text feed.