Security vulnerability CVE-2014-0160, commonly known as "Heartbleed," was disclosed by web security experts on Monday April 7, 2014. This bug affects a specific version of OpenSSL, a popular web security library.
Code42 has performed the following steps:
- Code42 applied the recommended patch as of April 8, early morning CDT (-05:00 GMT) to vulnerable sections of our website to prevent CVE-2014-0160 exploits.
- As a best practice and precautionary measure, all SSL certificates for our websites and public cloud services were revoked and replaced as of April 10, mid-afternoon CDT (-05:00 GMT).
Code42 products, including the CrashPlan and SharePlan applications, do not utilize the technologies vulnerable to CVE-2014-0160.
The CrashPlan app, CrashPlan mobile app, SharePlan app, SharePlan mobile app, and administration console use security technologies that are unaffected by CVE-2014-0160.
We recommend that Code42 customers take the following action:
Now that Code42 has replaced the SSL certificates for our websites and cloud services, we recommend that you change your Code42 account password.
Enterprise private cloud customers:
- If the SSL certificate you use for CrashPlan or SharePlan administration was also in use on an affected system, for example your Code42 enterprise server uses a wildcard certificate also used on another web server, we recommend replacing your SSL certificate. Instructions for updating your SSL certificate are available on our support site. We also recommend that you instruct users change their Code42 passwords once SSL certificate replacement is complete.
- Managed Private Cloud customers: Replacing the SSL certificate on a managed appliance is done through the administration console and does not require access to the managed appliance itself.
Additional information about CVE-2014-0160 is available at http://heartbleed.com/
If you have questions or concerns about your Code42 account, please contact our Customer Champions.