A dangerous bug was identified in a popular SSL/TLS library that powers many of the web servers in the internet. This bug – called Heartbleed – allows attackers to retrieve data stored in a server’s memory and access sensitive information.

CenturyLink Cloud wants you to be aware of one impacted area which was identified through our comprehensive assessment: OpenVPN software. The Linux distribution used for OpenVPN does not yet have an updated, patched package available to remediate this vulnerability. We are actively pursuing other solutions and will have an update on this issue shortly. [Please see update and action items below]

As this issue is related to OpenVPN client software, we believe it is important to detail what type of communication between users/machines may be affected by this vulnerability.

 * Control Portal system is NOT affected, so there is no need to change your password to the web site.

 * Site to site VPN tunnels from customer premise equipment to CenturyLink Cloud data centers are NOT affected.

 * Site to site VPN tunnels between customer servers in a particular CenturyLink Cloud data center to other customer servers in a remote CenturyLink Cloud  data center are NOT affected.

 * Software created VPN tunnels between customer client computer running OpenVPN typically used to manage/access customer servers in a CenturyLink Cloud data center _IS_ affected. [Please see update below]

 * Customer deployed solutions relying on OpenSSL technology running in CenturyLink Cloud data centers is LIKELY affected.  As the customer is responsible for configuration, deployment of these systems, it is the customer’s responsibility to remediate any affected systems. If you are running a web server in the CenturyLink Cloud and use OpenSSL to secure your website, test your website and remediate immediately.

Follow this post for continued updates. Please contact the NOC with any questions.

[2014-04-09 10:00AM PST – Initial post]

[2014-04-09 02:00PM PST – Solution identified, validated, and being rolled out to vulnerable OpenVPN servers]

[2014-04-09 07:15PM PST – All Control-deployed OpenVPN servers have been updated. All new OpenVPN servers leverage an updated template. Customers in UC1 and VA1 should also regenerate their VPN certificates as a precaution.]