Security Issue: Demosphere’s Response to OpenSSL “Heartbleed” Vulnerability

heartbleedThe Development team at Demosphere has been working dili­gently to correct any exposure that our systems may have had to the OpenSSL “Heartbleed” vul­ner­a­bility. We want to share our progress as well as steps that you can take to protect yourself going forward.

Please NOTE: Due to corrective measures, we experienced some earlier issues with the Online Registration and Team Application pages; both public and administrative. All has been resolved. Please see our Twitter page for updates (@diisupport).

OpenSSL Vulnerability: “Heartbleed Bug”

You may already be aware of this widespread vul­ner­a­bility, but if not, the “Heartbleed Bug” (CVE-2014–0160), is a vul­ner­a­bility in the extremely popular OpenSSL crypto library, allowing nefariously-minded people to view snippets of the memory content of servers. Most of the Internet uses this library to com­mu­nicate, pri­vately, with itself. So, if com­mu­ni­cation that was intended to be private/secure is no longer that way, it’s a really big deal.

Our Development team has no evidence that this vul­ner­a­bility has been used against any of our servers. However, such an attack would also be very dif­ficult to detect. Therefore, we are taking actions to patch any potential vulnerability that may exist.

What could have been vulnerable?

  • Our firewall is the first line of defense in a highly secure, PCI-compliant network infrastructure. It uses a secure operating system that is NOT among those which are being categorized as vulnerable to Heartbleed.
  • However, we are taking an extremely conservative view of our exposure, so we must include our public-facing Demosphere web appli­cations delivered over SSL including:
  • Online Registration (OLR)
  • RosterPro Registration
  • Team Applications

as potentially vulnerable, including our load balancer infrastructure, which is all behind the firewall.

What’s been done?

Here is a list of the steps we are taking to correct the potential vulnerability.

  • Deployed updated versions of OpenSSL to load balancers and any affected server environments.
  • Replaced vul­nerable versions of OpenSSL that Demosphere processes were using, and restarted those Demosphere processes.
  • We are working to cycle all new SSL cer­tificates and expire/reject old ones.

What should you do?

We are encouraging all our users to act with caution. This isn’t to cause alarm, but we want people to know the facts. This is what you can do:

  • Login to OLR (if applicable) and update your password
  • Login to RosterPro (if applicable) and update your password
  • Login to WebWriter/ClubSite (if you use the Team Applications) element and update your password

Please note: It’s not mandatory that passwords be changed and there is no indi­cation that the “Heartbleed” exploit was utilized against our systems, but changing passwords is encouraged. Plus, it is a good practice anyway. Do not use passwords from any other websites, email, or social media platforms that could themselves already be compromised. Always use a new password you have never used before.

Questions?

If you have addi­tional questions or concerns about this event, please reach out to us. You can contact us via Twitter (@diisupport) or via email, at: support @ ​demosphere.com.
We will keep you up-to-date on any changes or new devel­opments. Please follow us on twitter and keep an eye on our blog for addi­tional information.

Security


Kris Baker

Kris Baker is the President of Demosphere and has been serving the Youth Sports Community since 2006.