=======================================================
SB-1 2014-04-09 OpenSSL "Heartbleed" vulnerability
=======================================================

Service bulletin: SB-1
Date: April 8, 2014

The OpenSSL security library has been found to be vulnerable to an
attack that retrieves memory from server processes, including private
key data and cookie session IDs. The attack is straightforward and
leaves no logs. OpenSSL is the most common library used to implement
SSL/TLS encryption, and this flaw affects millions of servers and
websites around the world. OpenSSL is used within Bonded Internet for
various security purposes. The bug is known as Heartbleed and is
described below.

Affected hosts
---------------

-  Management servers

Solution
---------

We took these steps to solve the vulnerability:

#. We upgraded management servers after 7 PM PST on April 8, 2014. This
   did not impact bonded customer traffic. The updated version of the
   management server package is 2014.1-6.
#. We regenerated keys used by the Bonded Internet web server.
#. For sites using self-signed SSL certificates, the certificates were recreated. Users received a
   browser SSL warning the next time they visited the site.
#. For sites using properly signed SSL certificates, we sent the partner
   an updated Certificate Signing Request and worked with the partner to
   update the certificate.

Bonders and aggregators use OpenSSL, but never in TLS server mode with
affected versions of the library. As such, node keys do not need to be
regenerated.

References
-----------

-  http://heartbleed.com/
-  https://www.openssl.org/news/secadv_20140407.txt
-  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
