This week, a vulnerability in OpenSSL named “Heartbleed” was disclosed. This post is an update documenting our internal investigation of possible customer exposure and the steps we’ve taken to ensure that customer data is secure and private.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
More information: http://heartbleed.com/
AppNeta Service Status
Below are details on the steps being taken to ensure this issue is addressed in each of the AppNeta services.
TraceView’s data collection system is not SSL-based (using SSH private keys) and thus has never been vulnerable to SSL attacks like Heartbleed. All data collected by our systems was transmitted securely.
The TraceView web console is served over SSL via Amazon’s Elastic Load Balancer. Amazon has already applied updates which address the software issue. Additionally AppNeta will updating the SSL certificates used for TraceView within the next 24 to 48 hours.We encourage TraceView users to update their passwords as soon as possible.
For Heroku users, we have updated the SSO token to ensure secure login via the Heroku dashboard.
PathView, AppView and FlowView
All service components used within the PathView, AppView and FlowView service architectures are being upgraded out of an abundance of caution. This upgrade will be completed in the next 24 to 48 hours and will require a service restart, resulting in a short period of time during which you cannot log into the PathView service. All data collected by AppNeta appliances will be cached automatically and uploaded immediately upon the completion of that upgrade, so no data will be lost.
AppNeta network monitoring appliances, including web monitors, will be upgraded as part of this security upgrade. All customer appliance maintenance plans will be followed, and customers can define how and when their appliances are upgraded by following the steps described here. AppView Monitors will be upgraded automatically, but this process will result in a 10 to 15 minute period during which scripted transactions are not executed.