Start a new topic

Heartbleed SSL Vulnerability Report

On 04/07/2014 Kinvey was made aware of a serious vulnerability in the OpenSSL cryptographic library which has since been dubbed "Heartbleed". This vulnerability allows anyone access to information normally protected by SSL/TLS by leaking memory on the affected systems. For more information on the vulnerability please refer to the following links:

Informational link [here](http://heartbleed.com/ "here").

CVE link [here](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 "here").

Kinvey utilizes SSL to encrypt all network traffic between mobile devices and webapps and its platform. The platform is fronted by Amazon Web Services (AWS) Elastic Load Balancer (ELB) which is where SSL termination takes place.

As soon as the vulnerability was made known, Kinvey's security team followed up with AWS to determine the impact to its platform and were informed that the problem was being actively addressed. In the meantime, fresh private keys and certificates were generated/issued. The new keys and certificates were rotated in as soon as the ELB's were patched.

**At this point, the Kinvey platform is no longer vulnerable to the Heartbleed bug.**


1 person has this question
Login or Signup to post a comment