The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
What versions of the OpenSSL are affected?
Status of different versions:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
How does this affect the Zoom clients/apps?
- Zoom clients use OpenSSL 1.0.0 and are NOT vulnerable
How does this affect the Zoom cloud (zoom.us)?
- Zoom application servers that run on the Zoom cloud use OpenSSL 1.0.0 and are NOT vulnerable
- We regenerated the private key and new certificate for *.zoom.us was deployed on AWS ELB
- We also re-keyed the API key and pass for all 3rd party service integration
How does this affect my password?
We have found no reason to believe that any user data or credentials were compromised.
- If you login via Work Email, password change is recommended though not necessary as Zoom only stores encrypted passwords with one-way hash
- If you login via Google, please see Google Services Updated
- If you login via Facebook, please see Heartbleed Hit List Updates