On April 7, the OpenSSL Project released an update to address a vulnerability nicknamed “Heartbleed”. The vulnerability affects a substantial number of applications and services running on the Internet.
Custom Domain Communities SSL
Communities that have been configured with a custom domain are not affected by this issue as these servers did not have a version of SSL that was affected by the Heartbleed issue.
Communities with SSL
We have worked with our infrastructure provider to update OpenSSL on all our SSL endpoints. However, since this vulnerability made it possible for an attacker to compromise a private key for an extended period of time, for those customers that have their SSL certificates hosted with us, we strongly suggest that customers create a new SSL private key and SSL certificate and upload it to our system.
Communities with SSO (Single Sign-on Enabled)
If you community has SSO enabled, the community itself is not affected. However, please ensure that the authentication endpoint you have configured is not vulnerable (i.e., the server you're logging in to).
Your IdeaScale Password
We encourage all IdeaScale users to reset their IdeaScale account passwords. We do not have any evidence that passwords have been compromised, but any time a large scale vulnerability is discovered, the safest thing to do for your account is to rotate your IdeaScale login credentials.
In addition, any sessions that were open at 11:00 PM PST on April 9, 2014 were closed and required re-authentication. This included IdeaScale sessions and Support Center sessions using the Private Portal. The process will occurred between 11:00 PM PT and 12:00 AM PT.
Since this attack could have potentially exposed our own certificates, as a precaution, we've revoked our old certificates and obtained new ones for IdeaScale properties.