TPS-2014-003 Important Heartbleed Notice - Action Required

We are posting this information as a follow up to prior notices on the Heartbleed bug to ensure customers have reviewed the suggested steps to identify and remediate any vulnerabilities.

Heartbleed is a security vulnerability in the OpenSSL encryption software, which is used by a large portion of the secured websites/systems on the Internet, and may also be used by you in your web sites, and/or applications hosted on the Joyent Cloud platform. For additional technical details the issue is fully described here http://heartbleed.com/.

While Joyent’s websites and API’s were NOT affected by this bug, we would like to take the opportunity to remind our customers as best practice, to regularly change the passwords they use for my.joyent.com on some regular schedule, or as reasonable.

While Joyent services themselves were not vulnerable to Heartbleed, customers may still have application/website vulnerabilities depending on their use of OpenSSL within their Virtual Machines hosted on the Joyent Cloud or elsewhere.

Accordingly all users running https services should take the following steps if you find your version of OpenSSL is affected. Update/patch OpenSSL bug for all servers running SSH or HTTPS https://help.joyent.com/entries/31378064-OpenSSL-Vulnerability-CVE-2014-0160-Heartbleed- Revoke and reissue SSL certificates for any HTTPS services running in VM’s on the Joyent Cloud Notify your end users internal or external, to change their passwords if they were used to login to an affected OpenSSL installation If you have any questions, or need assistance changing your password or updating OpenSSL and SSL Certificates, please contact Joyent via https://help.joyent.com/ or through email to support@joyent.com.