On April 7 the OpenSSL Project released an update to address a detected vulnerability (CVE-2014-0160) in their software. OpenSSL is a common software package installed across multiple Linux Operating system flavors, including Redhat, CentOS, Debian, Ubuntu and others. This vulnerability has been nicknamed Heartbleed.

Vulnerability Details

The Heartbleed vulnerability can be remotely executed to leak encryption data including private keys from SSL servers. An attack can obtain an SSL server’s private key, and then in turn use that to intercept, read and/or alter HTTPS traffic. There is no known logs or records that indicate whether the exploit has been used on a particular server.

Who Does This Impact

This impacts any Linux based server running a particular version of OpenSSL. So this could impact customers with SSL secured websites on any of our cloud-based Web and Reseller servers and Linux-based Virtual Servers, Cloud Virtual Servers or Dedicated Servers.

What We Have Done

On April 8, we audited all our critical infrastructure (including our Web and Reseller hosting platforms) to confirm what services were impacted. On April 9, we patched any critical infrastructure that was open to this vulnerability including our cloud-based Web and Reseller platform. Note, our physical shared / reseller servers were not impacted. As of April 10, we have prepared documentation to assist our VPS and Dedicated Server customers to patch their services.

What You Should Do

The actions you should follow do vary depending on what service you have with us. Please consider the following.

Web & Reseller Hosting

We have patched all our Web & Reseller Hosting servers already. However there are some additional actions you should consider:

• Update any passwords associated with your service including but not limited to, cPanel password, FTP password, email passwords. Whilst we have no evidence to suggest passwords have been compromised, it is always good practice to change your passwords during security events like this.

• If you use SSL with your website or application and your hosting is located on an impacted server, please consider having your SSL Certificate re-issued. This can be done by contacting your Certificate Authority whom you purchased your SSL from. Re-issuing does not incur any additional fees.

Note: Any customers whom purchased a certificate from us, please see the following SSL Re-issue KB Article.

Note: Any customers whom purchased a certificate from a third party, please contact your third party for instructions on how to re-issue your purchased certificate. We will waive the third party SSL installation fee (for Web & Reseller Hosting customers).

Virtual Server, Cloud VPS, Blaze VPS and Dedicated Servers

• Read and action the following KB article which explains how to check if your service is impacted by this vulnerability and then explains the steps to update and patch. If you are a Fully Managed customer, then please contact our Support team who can do this for you.

• Update any passwords associated with your service, including your root server password. Whilst we have no evidence to suggest passwords have been compromised, it is always good practice to change your passwords during security events like this. If you are a Fully Managed customer, then please contact our Support team  who can do this for you.

• If you use SSL with your website or application and your hosting is located on an impacted server, then you should consider getting your purchased SSL Certificate re-issued. This can be done by contacting your Certificate Authority whom you purchased your SSL from. Re-issuing does not incur any additional fees.

Note: Any customers whom purchased a certificate from us, please see the following SSL Re-issue KB Article.

Note: Any customers whom purchased a certificate from a third party, please contact your third party for instructions on how to re-issue your purchased certificate. If you have any questions or concerns, or are not sure how to proceed, please don’t hesitate to contact our support team.