Critical OpenSSL bug ("heartbleed") - Update

Posted on Friday, 11 April 2014

The following update has been sent out to all technical or administrative contacts for entities registered with the UK Access Management Federation for Education and Research. Its purpose is to provide additional information about the "Heartbleed" vulnerability for users of the Shibboleth and Eduserv OpenAthens product lines.

If you have not seen our initial "Heartbleed" advisory, you can find it here:

We will follow up with additional information in the coming days as it becomes available.

YOU SHOULD ENSURE that the material below is reviewed by your technical staff as soon as possible, so that you can minimise the impact of this issue on your services.

More detailed information for Shibboleth and OpenAthens SPs and IdPs. If you operate software from any other source, we recommend contacting the vendor for more information.

Further Steps

We will provide more information in the coming days describing remedial action to take if your system has been vulnerable, so that you can safely replace compromised private keys where appropriate.

Please contact the UK federation helpdesk (service at if you have any additional questions about this advisory, or if you need help in determining whether your systems are vulnerable.

-- Ian Young, UK federation

Edited by SteveGlover on 11 April 2014, at 11:11 AM (Permalink)