Skip navigation

UMass Amherst IT Services Patched Against Heartbleed Vulnerability

April 9, 2014

UPDATE: As of Friday, April 18, 2014, we recommend that undergraduate students change their NetID password. Faculty, staff, and graduate students are urged to wait to change their NetID password until further notice. More...

UPDATE: As of Thursday, April 10, 2014, patching for most campus IT services is complete. Stay tuned for details.

On Monday, April 7, 2014, the OpenSSL Project announced Heartbleed, a critical vulnerability that can expose data on systems running OpenSSL, including passwords and other sensitive data. 

Most campus technology services (e.g., Moodle) and other online consumer services, such as online banking or photo-sharing, use OpenSSL, one of the most popular data encryption tools for Web traffic. 

UMass Amherst IT staff are in the process of patching IT services on campus. You may experience brief outages as these services are updated. Watch this page for updates and next steps. 

UMass Amherst IT recommends that students, faculty, and staff wait to change their passwords to core campus IT services pending a notification that back-end work for these services is complete. 

For non-UMass IT services: 

  • Do not change your passwords or transmit data to secure Web sites or services that you normally use until you have received an official security update.
  • Only change your passwords after you have confirmed that the site or service has installed a security update. 
  • Monitor your sensitive online accounts (e.g., banking, email) for suspicious activity for at least the next week. 

UMass Amherst IT recommends that campus server administrators using OpenSSL:

1. Apply the patches supplied by OpenSSL or their vendor immediately. A list of vendors and their status is available through US-CERT. OpenSSL updates are available on their source page

2. Generate a new private key for a new SSL certificate.

3. Install a new SSL certificate with the new key.

4. If applicable, notify users that services have been patched.

If you have questions about this issue, please contact the Central IT Help Center

Last Updated: Apr. 18, 2014