FormAssembly and the recent OpenSSL Vulnerabilities
Yesterday, June 5, 2014, OpenSSL disclosed six new security vulnerabilities affecting almost every version of their SSL toolkit. The most problematic of the disclosed OpenSSL vulnerabilities was CVE-2014-0224, an injection flaw. This flaw allowed man-in-the-middle attacks against encrypted connections when both sides of the connection used a vulnerable version of the OpenSSL toolkit. If an attacker used this vulnerability, sensitive information could have been disclosed. This vulnerability has been present since the first version of OpenSSL.
Both FormAssembly and FormAssembly Enterprise Cloud relied upon a vulnerable version of OpenSSL. Because we keep abreast of disclosures affecting FormAssembly, we were able to patch all vulnerable FormAssembly resources within hours of the patch being released. Unlike the Heartbleed vulnerability from earlier this year, these vulnerabilities could not be used to extract server or client side key material. As such, our certificates could not be compromised due to these new security vulnerabilities and we will not be issuing new certificates. While we have no evidence that sensitive information was compromised, best practices advise that you change your passwords everywhere, including FormAssembly, due to the prevalent use of the OpenSSL on the Internet.
If you have any questions, please contact us here or at [email protected].