As you’re likely aware, a significant vulnerability in OpenSSL, which the security community is calling the “Heartbleed” vulnerability, was discovered and publicized the previous week. This affects the component of a package that is in common use throughout the software industry.
The purpose of this blog post
Here’s what you need to know:
The Splunk Bugsense operations team is very security-conscious and takes new security threats and published vulnerabilities very seriously. We responded - within 24 hours after the discovery of the issue - with the following actions immediately after the disclosure of the CVE-2014-0160 “Heartbleed” SSL bug:
- All servers were immediately updated to the latest fixed version of OpenSSL (1.0.1g).
- We re-issued the special certificate the Bugsense SDKs use to communicate with the Bugsense service. This will mitigate possible information leakage between the disclosure of the bug and patch application to the service.
- We re-issued the SSL certificate of www.bugsense.com immediately after Google announced AppEngine’s update to the latest OpenSSL version.
- We performed a full audit for possible information leaks on all public endpoints (mobile data endpoints, monitoring servers and developer tools servers) and found none.
- We applied a full SSL reissue to all SSL enabled public endpoints (pertaining to the services described above).
- We performed a full public endpoint scan using a readily available open source tool (located here: http://filippo.io/Heartbleed) and it found no vulnerable servers.
If you have any more questions on this issue please free to contact us.