In the following we would like to inform you about the status and possible effects of the OpenSSL vulnerability CVE-2014-0160, also known as "Heartbleed Bug", with regard to services of the RHRK and networks of the TU Kaiserslautern.

All affected RHRK systems were patched by Wednesday 09.04.2014. Server certificates and their corresponding keys were withdrawn or replaced on systems that offered corresponding TLS-based (encrypted) services. Furthermore, the RHRK, as the operator of the networks at TU Kaiserslautern, has localized affected systems outside the RHRK on campus and contacted the responsible persons directly or isolated these systems.

Since exploitation of the security vulnerability can never be completely ruled out before the systems are patched, you should change your RHRK password if you used one of the following services before 10.04.2014 and have not changed your password since then:

• eduroam - WLAN (whether locally at TU Kaiserslautern or via "roaming" from other institutions)
• Web portal of the RHRK ticket system at https://hotline.rhrk.uni-kl.de/
• Any services that use Shibboleth authentication via redirection to idp.uni-kl.de (e.g. OLAT)
• Web portals of the HPC cluster at https://elwe.rhrk.uni-kl.de/ and https://rtm.rhrk.uni-kl.de
• License server activations at https://licserv-a.rhrk.uni-kl.de/firewall.php
• TSM backup portal at https://tsm.rhrk.uni-kl.de/

The following services were explicitly not affected :

• Windows logon to the Active Directory (terminal server, computers in the Windows domain, ...)
• Microsoft Exchange services
• CommuniGate Pro mail services (webmail, IMAP, POP3) on mail.uni-kl.de
• Mail dispatch via smtp.uni-kl.de
• VPN with Cisco AnyConnect
• KIS Office
• QIS Exam administration
• Version management GitHub Enterprise on https://git.rhrk.uni-kl.de/
• Any authentication via SSH (either by password or by key)

You can change your central RHRK password at https://passwort.uni-kl.de/.

If you use a personal certificate from our PKI to sign or encrypt emails, this is not affected by the problem. Only a certificate-based client authentication with OpenSSL on the client side could conceivably be vulnerable. However, on the one hand we do not offer certificate-based authentication and on the other hand common web browsers and e-mail programs do not use OpenSSL.

Details on the general problem can be found, for example, in the Heise article at http://www.heise.de/security/meldung/Der-GAU-fuer-Verschluesselung-im-Web-Horror-Bug-in-OpenSSL-2165517.html.