OpenSSL heartbleed bug / Shibboleth implications

Andy Bennett andyjpb at
Tue Apr 8 13:32:24 EDT 2014

Hi Jeff,

> I've tried due diligence before posting this question but the best
> answer I can derive is "maybe"
> - We don't have any reason to believe we've been compromised
> - We are only running Shib SP services
> - We've applied patches to everything from our vendor

You can only have been compromised if you are running a vulnerable
version of the software.

If you are in a position where you are running a vulnerable version of
the software then you *may* have been compromised. As this attack is
undetectable in logs then you should assume that you *have* been
compromised and act accordingly. You should consider any data that the
vulnerable process has access to be at large. This includes
certificates, passwords and user data.

The vulnerable versions of the software are:

 + OpenSSL 1.0.1 to 1.0.1f inclusive

 + 2.5.x versions of the Shibboleth SP
package for Windows.

...and potentially others that I have missed.

(Thanks to Ian Young for version info.)

Earlier versions of OpenSSL are not vulnerable.

Check out the following website for a (non Shibboleth related)
explanation of the situation:


andyjpb at

More information about the users mailing list