OpenSSL Heartbleed Security Update
Posted by Craig Kerstiens
Yesterday the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, nicknamed “Heartbleed.” This serious vulnerability affects a substantial number of applications and services running on the internet, including Heroku.
All Heroku users should update their passwords as a precautionary measure. If you are currently running the SSL Endpoint add-on, you should re-key and reissue your certificate and update it as it may have been exposed. As of Tuesday, April 8 at 15:55 UTC, all Heroku certificates, infrastructure, and Heroku Postgres have been updated and are no longer vulnerable. Continue reading for further details on each affected vector.
This vulnerability can be remotely exploited to leak encryption secrets from Heroku applications, allowing an attacker to retrieve the private key used for SSL encryption and decode data obtained by intercepting traffic. Since this vulnerability potentially exposes the private key used for encryption, we strongly advise that you replace both the private key and certificate as soon as possible.
We encourage all Heroku users to update their Heroku account passwords. We do not have any evidence that passwords have been compromised, but given the amount of time that this vulnerability was in existence the safest thing to do for your account is to rotate your Heroku credentials. You can reset your Heroku password here.
We have worked with our infrastructure provider to update OpenSSL on all SSL Endpoints. However, since this vulnerability made it possible for an attacker to compromise a private key for an extended period of time, we strongly suggest that you create a new private key and update your endpoint. Please contact your SSL certificate provider if you have questions about generating a new private key.
For customers of our legacy Hostname SSL, please upgrade to the current SSL Endpoint add-on.
The *.herokuapp certs have been rekeyed and updated, meaning we sent new certificate requests (CSR) to our CA signed with new private keys, but with the same info. This is why you will not see new dates when checking the cert.
Important Note: We advise you to not get your certificate reissued until you are ready to update your endpoint. Once you issue a new private key, your certificate provider may invalidate your previous certificate.
Since this attack could have potentially exposed our own certificates, we've obtained new certificates for Heroku properties as a precaution.
All Heroku Postgres instances used the affected version of OpenSSL. This affects the libpq SSL connection, which we require on all Postgres databases to ensure your data is safe. Upon discovery, we rolled out a new version of OpenSSL, then restarted the Postgres process and other processes using OpenSSL. As a result, this update may have resulted in a few seconds of downtime for your database.
As an extra precaution, we encourage you to update your database credentials with
heroku pg:credentials HEROKU_POSTGRESQL_COLOR --reset
As of Tuesday, April 8 at 15:55 UTC, all Heroku certificates, infrastructure, and Heroku Postgres have been updated and are no longer vulnerable to CVE-2014-0160 vulnerability, nicknamed “Heartbleed.”
All Heroku users should update their passwords as a precautionary measure. If you are currently running an
ssl:endpoint endpoint, you should re-key and update your certificate as your private key or other data may have been exposed. If you are running the legacy SSL hostname add-on, you should migrate to SSL endpoint.
While we're confident that all of the aforementioned vectors have been addressed, we are continuing to monitor the situation and have a heightened eye to potential abuse on the Heroku platform.
Thank you for your patience while we worked on resolving this issue. As always, please don’t hesitate to let us know if you have any additional questions or concerns.