A critical vulnerability in OpenSSL (CVE-2014-0160: OpenSSL Private Key Disclosure Vulnerability) was recently disclosed, which affects servers running OpenSSL 1.0.1 through 1.0.1f, estimated at "over 17% of SSL web servers which use certificates issued by trusted certificate authorities.” The vulnerability essentially compromises the integrity of SSL encryption, allowing attackers to steal sensitive data from this secure channel.
The vulnerability, also know as the Heartbleed bug, most severely impacts enterprise servers running vulnerable versions of OpenSSL, and in a worst-case scenario could expose end-user communication over SSL encryption.
Palo Alto Networks immediately addressed this vulnerability, ensuring our customers are protected against exploitation of Heartbleed, including the following updates:
To be clear, Palo Alto Networks software is not vulnerable, and customers with a Threat Prevention subscription, and their users, are protected from Heartbleed. We advise that all Threat Prevention users ensure they are running the latest content version on their device.
Furthermore, we recommend that all enterprises update their web servers to the latest patched version of OpenSSL available as of April 7, 2014 (1.0.1g), and immediately replace SSL private keys after the patch is in place. Given the close relationships many of you have with your vendors and partners, it is important that you help identify vulnerable systems, and notify partners immediately.
As an end-user, continue to practice good Internet hygiene, such as not accessing public Wi-Fi hotspots, clicking on unknown links in email, or downloading and opening suspicious files.
More:
Have questions? Please reach out to your existing rep or partner, or contact us online or call 866.320.4788.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.