A new security vulnerability was announced yesterday (CVE-2014-0160) in OpenSSL that allows an attacker to read up to 64kB of memory. Any service that supports TLS and is using v1.0.1 or greater of the openssl library is vulnerable (including web servers, mail servers, vpns etc.)
Ubuntu 10.04 (Lucid) has an older version of OpenSSL and is not affected by this vulnerability. Updates are now available for Ubuntu 12.04 (Precise) and above.
All our own systems and our managed customers’ systems are currently being patched and secured and we urge all other customers to apply the available updates as soon as possible. Remember to restart affected services, so they pick up the new version of the library.
It’s important to note than an attacker could have read data from your server, such as private keys, passwords, cookies etc. There is currently no evidence that this vulnerability was known to attackers before it was announced yesterday, but it would be very difficult to know for sure if you’ve been targeted. We recommend you make your own risk assessment and take appropriate action (such as obtaining a new certificate and key, changing passwords etc.). A detailed summary of the vulnerability and it’s impact is available at heartbleed.com.