On Monday, April 7th, 2014 a security vulnerability was disclosed in a software library called OpenSSL. Ustream, along with most of today’s major Internet services, relies on OpenSSL to encrypt and secure web traffic and private customer data. This vulnerability (identified as CVE-2014-0160; also known as Heartbleed) allows an attacker to remotely access the memory contents of servers running a vulnerable version of OpenSSL and potentially access sensitive data, including security keys, usernames and passwords.
The name “Heartbleed” comes from the particular section of the OpenSSL codebase affected by this bug, the Transport Layer Security “heartbeat” implementation. The piece of code responsible for the “heartbeat” section of the protocol leaks (or bleeds) memory to the network when an attacker sends a carefully crafted network package. Continue reading