Bulletins‎ > ‎

Bulletin-0004: The Heartbleed Bug

On April 7, the OpenSSL Project released an update to address a vulnerability nicknamed “Heartbleed”.  The vulnerability affects a substantial number of applications and services running on the Internet.  The Heartbleed Bug is a serious security vulnerability in the popular OpenSSL cryptographic software library. This vulnerability allows the stealing of information that is normally protected by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed vulnerability allows a hacker on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

CollaborateMD has performed an internal audit of any exposure to the recently discovered SSL vulnerability exposed within the Heartbleed Bug.  Based on the results of our internal audit, we have properly mitigated any risks within our environment and to our services.  Additional audit findings shows the likelihood of a problem occurring is relatively small to our customers.  However, the overall risk is greater than any of us should be willing to challenge.  Therefore, we are taking these proactive measures to ensure each of our environments remain safe and secure.

  • We are requiring each customer to change their password to ensure the safety and security of their CollaborateMD account(s).  
  • On Wednesday morning, April 16, 2014, a forced password reset will be applied to all user accounts during their next login.
  • Users who recently changed their password (on or after April 13, 2014 mid afternoon) and  prior to the forced password reset (scheduled for Wednesday morning, April 16, 2014will not be required to reset their password.
  • We encourage all users to reset their other CollaborateMD account passwords (Idea Exchange, Self Service Portal, Collaboration Compass, CollaborateMD Portal, etc).  We do not have any evidence that passwords have been compromised, but any time a large scale vulnerability is discovered, the safest thing to do for your account is to rotate your login credentials.
  • We recommend that you refrain from using the same username and password for multiple sites as an exposure of one site leaves all others with the same (username and password) credentials vulnerable as well.
  • We are also recommending that each customer be especially vigilant with your own personal accounts and change them as well.  Sites like Google and Youtube as well as Facebook were all vulnerable to the Heartbleed Bug.  

For further information on the Heartbleed vulnerability please refer to http://heartbleed.com