The "Heartbleed" Vulnerability
May 2, 2014 Update: After the OCLC operations team completed its assessment of the OCLC environment, it was determined that none of our Internet-facing services were running any of the Heartbleed vulnerable versions of OpenSSL. However, this assessment provided the opportunity to review additional configuration settings on all of our Internet-facing web servers, which in turn identified some changes, unrelated to Heartbleed, that would enhance the overall security and availability of certain services. As a result, we have tested and implemented several changes already and anticipate implementing the few remaining changes in the very near future.
A vulnerability exists in certain versions of OpenSSL, a widely-used cryptographic library that enables encryption. The vulnerability relies on a bug in the implementation of OpenSSL’s “heartbeat” feature, hence the “Heartbleed” name. When exploited, a server can leak confidential and restricted data, including private SSL keys, usernames/passwords and other sensitive data. Many well-known sites have been reported as vulnerable to this attack. On 8 April 2014, exploit code was already being seen in the underground, and on 9 April, 2014 the popular and widely-used security/attacker tool “Metasploit” published its Heartbleed module.
The OCLC operations team has been continuously scanning servers and undertaking efforts to assess any impact on our servers/operating systems and network. There are no identified vulnerabilities or known risk of data loss or exposure at this time. We are continuing to monitor the situation and to safeguard our networks, services and data.
There is not a need for users of OCLC services to change passwords at this time. Changing passwords regularly is a good practice and is encouraged.
We will keep you updated on this site as necessary, as more is learned about this vulnerability.