Security Issue: Demosphere’s Response to OpenSSL “Heartbleed” Vulnerability
The Development team at Demosphere has been working diligently to correct any exposure that our systems may have had to the OpenSSL “Heartbleed” vulnerability. We want to share our progress as well as steps that you can take to protect yourself going forward.
Please NOTE: Due to corrective measures, we experienced some earlier issues with the Online Registration and Team Application pages; both public and administrative. All has been resolved. Please see our Twitter page for updates (@diisupport).
OpenSSL Vulnerability: “Heartbleed Bug”
You may already be aware of this widespread vulnerability, but if not, the “Heartbleed Bug” (CVE-2014–0160), is a vulnerability in the extremely popular OpenSSL crypto library, allowing nefariously-minded people to view snippets of the memory content of servers. Most of the Internet uses this library to communicate, privately, with itself. So, if communication that was intended to be private/secure is no longer that way, it’s a really big deal.
Our Development team has no evidence that this vulnerability has been used against any of our servers. However, such an attack would also be very difficult to detect. Therefore, we are taking actions to patch any potential vulnerability that may exist.
What could have been vulnerable?
- Our firewall is the first line of defense in a highly secure, PCI-compliant network infrastructure. It uses a secure operating system that is NOT among those which are being categorized as vulnerable to Heartbleed.
- However, we are taking an extremely conservative view of our exposure, so we must include our public-facing Demosphere web applications delivered over SSL including:
- Online Registration (OLR)
- RosterPro Registration
- Team Applications
as potentially vulnerable, including our load balancer infrastructure, which is all behind the firewall.
What’s been done?
Here is a list of the steps we are taking to correct the potential vulnerability.
- Deployed updated versions of OpenSSL to load balancers and any affected server environments.
- Replaced vulnerable versions of OpenSSL that Demosphere processes were using, and restarted those Demosphere processes.
- We are working to cycle all new SSL certificates and expire/reject old ones.
What should you do?
We are encouraging all our users to act with caution. This isn’t to cause alarm, but we want people to know the facts. This is what you can do:
- Login to OLR (if applicable) and update your password
- Login to RosterPro (if applicable) and update your password
- Login to WebWriter/ClubSite (if you use the Team Applications) element and update your password
Please note: It’s not mandatory that passwords be changed and there is no indication that the “Heartbleed” exploit was utilized against our systems, but changing passwords is encouraged. Plus, it is a good practice anyway. Do not use passwords from any other websites, email, or social media platforms that could themselves already be compromised. Always use a new password you have never used before.
If you have additional questions or concerns about this event, please reach out to us. You can contact us via Twitter (@diisupport) or via email, at: support @ demosphere.staging.wpengine.com.
We will keep you up-to-date on any changes or new developments. Please follow us on twitter and keep an eye on our blog for additional information.