Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums
  • Feature tour
    Feature tour

Content

You are here:
  1. Support
  2. News
  3. News Heartbleed fixed

News Heartbleed fixed

  • More
    • Print
    • Table of contents

A severe vulnerability (CVE 2014-0160) was recently revealed in a cryptographic library called OpenSSL. OpenSSL is used on many servers to handle SSL-encryption of web traffic. The people who found the vulnerability called it ‘Heartbleed’ and made a web page providing technical details.

openproject.org infastructure

openproject.org uses Amazon Web Services as hosting provider and uses their ‘Elastic Load Balancing’ (ELB) service for SSL-termination, i.e. it does all the encryption and decryption of web traffic. This service uses the OpenSSL library and was vulnerable. On April 8th, Amazon issued a statement that the vulnerability for their ELB service had been fixed.

The vulnerability allowed an attacker to read memory from the attacked server which could include private encryption keys and other secrets. As a precaution, we revoked the previous SSL-certificate for openproject.org and are now using a new one. On modern browsers, SSL-traffic with openproject.org is encrypted with a cipher that has a property called Forward Secrecy. This property ensures that previously captured traffic can’t be decrypted later when a private key is revealed or stolen.

In addition to revoking the SSL certificates we reset all active user sessions, i.e. all users have been automatically logged out. If you want to be extra cautious, you can change your password on openproject.org.

Our source code is hosted on GitHub, they have fixed the vulnerability as well.

OpenProject installations

If you’re running your own OpenProject instance or any other service providing SSL-encryption (besides web servers, mail and database servers could also be vulnerable), please check whether you’re using a vulnerable version of OpenSSL and upgrade if necessary.

Here are some hints:

  • A common way to run OpenProject is behind an Apache or nginx webserver. Both use OpenSSL for encryption, so chances are pretty high you’re using OpenSSL.
  • If you update the OpenSSL library, make sure to restart your server processes afterwards. Otherwise the new OpenSSL library version might not be used.

You can find more information on vulnerable versions, how to fix it, and details about the vulnerability on http://heartbleed.com.

Conclusion

We always try to keep openproject.org users safe and OpenProject itself and our infrastruture secure. If you find a vulnerability in OpenProject or our infrastructure, please contact us via email.

Loading...