April 11, 2014
Technology Alert: OpenSSL “Heartbleed” Vulnerability
The FDIC, as a member of the Federal Financial Institutions Examination Council (FFIEC), is issuing the attached alert advising financial institutions of a material security vulnerability in OpenSSL, a popular cryptographic library used to authenticate Internet services and encrypt sensitive information.
Statement of Applicability to Institutions with Less than $1 Billion in Total Assets: This Financial Institution Letter (FIL) applies to all FDIC-supervised institutions.
- OpenSSL is an open-source implementation of the Secure Sockets Layer and Transport Layer Security protocols. Financial institutions may use OpenSSL in common network services such as Web servers, email servers, virtual private networks, instant messaging, and other applications.
- A significant vulnerability has been found in OpenSSL that could allow an attacker to decrypt, spoof, or perform attacks on network communications that would otherwise be protected by encryption.
- The FDIC expects financial institutions to upgrade vulnerable systems as soon as possible, following appropriate patch management practices.
- Financial institutions should monitor the status of their third-party service providers and vendors’ efforts to implement patches on software that uses OpenSSL and to take the following steps, as appropriate:
- Ensure that third-party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps.
- Monitor the status of their vendors’ efforts.
- Identify and upgrade vulnerable internal systems and services.
- Follow appropriate patch management practices1 and test to ensure a secure configuration.
- Examination guidance and additional information on patch management, software maintenance, and security updates can be found in the following FFIEC IT Examination Booklets: