by Philip Molter, co-CTO Golden Frog
OpenSSL announced today a high-severity vulnerability in the OpenSSL library (CVE-2015-1793). The vulnerability allows attackers to forge certificates and, in some cases, have those certificates trusted. For example, the bug could allow a malicious server to represent itself as a Golden Frog server to vulnerable clients.
We wanted to let all our Golden Frog users know that our services and clients are not vulnerable to this bug. The bug affects only very recent versions of OpenSSL, and our servers and software use stable versions of OpenSSL that only include backported security fixes, not new features like the one that introduced this bug. In addition, where possible, our apps leverage SSL libraries provided by the customer’s operating system, and almost all standard OS releases are not vulnerable to this release. You should only be concerned if you run a custom system on which you have installed a very recent version of OpenSSL yourself. In that case, you should update your version of OpenSSL to the latest patched release.
Since the Heartbleed vulnerability, OpenSSL has taken to pre-announcing high and critical severity bugfixes. Because of this, some media outlets are hyping these upcoming releases as “the next Heartbleed.” So far, that hasn’t been the case, and it is certainly not the case here.