This announcement has been archived.
Originally posted April 9, 2014.
What is the Heartbleed Vulnerability?
On April 7th, 2014 it was announced that a vulnerability had been discovered within the OpenSSL platform. OpenSSL is a security library that is commonly used to enable secure connections over the web. The vulnerability that was discovered is fairly technical (you can read more here) but the short version is that it had the potential to allow an attacker to retrieve private information from a web server.
How did Heartbleed affect Absorb LMS?
The primary servers that host the LMS were unaffected by this vulnerability as they do not use OpenSSL. However, we use a load balancer that directs traffic to our servers, and this load balancer does make use of OpenSSL. This means that an attacker could have used the vulnerability to access confidential information as it was passed from the load balancer to our primary servers. Due to the nature of Heartbleed, it is unfortunately impossible to determine if such an attack occurred. However, the scope of the web services affected by this vulnerability is so large it is unlikely that Absorb LMS was a target.
What steps have we taken?
Our load balancing is provided by Amazon Web Services(AWS), who were able to patch the vulnerability shortly after it became common knowledge. You can read more about that here, but please note that only the Elastic Load Balancing section applied to Absorb. As an added precaution, we have reissued the SSL certificates used for both the *.absorbtraining.com and *.absorbcloud.com domains. We have also initiated a reissue for all the client specific SSL certificates that we manage which should be completed by April 10th, 2014.
What do I need to do?
Most of the changes that we have made will require no interaction on your part. If you are the domain approver for your certificate you may be receiving an email confirming the reissue of your SSL certificate. Otherwise, all changes and patches have already gone live and require no additional interaction.
We will continue to follow this issue as it develops and ensure that Absorb remains up to date with the latest security developments.