If you’re running Moodle over HTTPS with an SSL certificate you may need to patch your Moodle server to remove the vulnerability known as Heartbleed. As stated by Matthew Spurrier, Moodle HQ Systems Administrator,
This vulnerability allows exploitation of the heartbeat mechanism within TLS in order to read 64k of addressable server memory at one time, potentially allowing the leakage of sensitive information, including SSL private keys, usernames, passwords, and other details not normally accessible over encrypted SSL communication channels.
The vulnerability, introduced in December 2011, affects OpenSSL versions 1.0.1 through 1.0.1f, covering a significant portion of SSL websites across the world.
I can confirm that like many other sites, Moodle.org was vulnerable to this issue.
On Tuesday (8/4/14) all Moodle servers were patched for the vulnerability, and as the vulnerability does not leave any signs as to whether a system has been exploited, I have re-keyed and re-signed our SSL certificates to ensure that in the event our private key was leaked, our communications will not be compromised.
There is, however, one major concern remaining. As there is the potential to read all data including usernames and passwords, your moodle.org accounts may or may not have been compromised.
Therefore, as many sites have advised Moodle.org is now recommending that all Moodle.org users change their passwords as a precaution.
Read more about the vulnerability and what you can do to fix it at https://moodle.org/mod/forum/discuss.php?d=258211.
As a Moodlerooms client, my company StraighterLine was advised of this vulnerability early this week and verified that our site was not susceptible to the issue but that preventative measures were taken regardless to update and patch existing code and update secure and secret keys. A scary time indeed. Kudos to Moodlerooms for a proactive communication strategy and approach to the issue.
Whether you’re an admin or just a Moodle.org user there are three main tasks (though some are not applicable to all users).
- change your password immediately at Moodle.org (and adopt a strong password convention)
- update Open SSL for any sites using HTTPS and re-key/re-sign certificates
- if you are using MNET updates OpenSSL and re-key/re-sign MNET certificates