TITLE: OpenSSL Memory Leak Vulnerability (Heartbleed Bug)
QID: 42430
CVE: CVE-2014-0160
OS: Windows Server 2008 R2 Standard 64 bit Edition Service Pack 1

SUMMARY: A critical vulnerability has been discovered in the OpenSSL cryptography software. This vulnerability, which affects all versions from 1.0.1 to 1.0.1f, allows attackers to eavesdrop on any connection secured by the OpenSSL software. Remote attackers can force the server to disclose its private key which can be used to decrypt sensitive information such as usernames, passwords and actual content.

SOLUTION: Update the OpenSSL to Version 1.0.1g to resolve this issue.

1. Verify the current version of OpenSSL by running the following command.

openssl version -a

2. OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable.
If the current version of OpenSSL is between 1.0.1 through 1.0.1f, the update to version 1.0.1g should be performed to resolve the vulnerability.

3. Download the update and install as per the directions from the software provider.

4. Once the update is implemented, either reboot the server or you can identify services that need to be restarted after updating your system by using this command:

sudo lsof -n | grep ssl | grep DEL
IMPORTANT! Ensure that you have backed up your important data prior to making any updates.