We have found some versions of Heartbleed in the wild that work against GRAM and MyProxy. We have also created a custom version that can work against GridFTP.
So again, if you are running a vulnerable version of OpenSSL on your Globus Toolkit machine, update your OpenSSL. And consider getting new host certificates. -Steve On Apr 9, 2014, at 11:43 AM, Steve Tuecke <[email protected]> wrote: > This page (https://support.globus.org/entries/50667608) has been updated with > new information and recommendations regarding GT and Heartbleed. In > particular, we have determined that while the Globus Toolkit services do not > appear to be vulnerable to a stock Heartbleed exploit, we have determined > they would be vulnerable to customized versions of Heartbleed. > > We highly recommend you update OpenSSL on all systems running Globus Toolkit > services, to prevent future exploits using a customized version of > Heartbleed. > > If you are concerned about potential past customized exploits, you should > also get new host certificates. > > -Steve > > > On Apr 8, 2014, at 10:03 PM, Steve Tuecke <[email protected]> wrote: > >> We have reviewed all Globus services and Globus Toolkit components to >> determine the impact of the OpenSSL vulnerability described in CVE-2014-0160 >> (also known as the Heartbleed bug). We have created a page with a list of >> our analysis and actions we have taken, as well as precautions that end >> users and resource providers can take to ensure the security of their >> systems. >> >> https://support.globus.org/entries/50667608 >> >> This page will be updated as we learn more. >> >> -Steve >
