Heroku Status

Current Status and Incident Report

OpenSSL Heartbleed Security Issue

Production 24h Development 13h

Resolved

The Heroku Platform is no longer vulnerable to the "Heartbleed" bug.

Monitoring

Heroku Postgres databases were identified as vulnerable to CVE-2014-0160 vulnerability, nicknamed “Heartbleed” (CVE-2014-0160). This affects the libpq SSL connection, which we require on all Postgres databases to ensure your data is safe. We patched all databases, then restarted the Postgres process and other processes using openssl while notifying the owners of affected databases in the process. This may have resulted in a few seconds of downtime for your database. We apologize for this downtime, but we wanted to do our best to ensure your data is safe.

At this time we encourage all customers to rotate their database credentials by running heroku pg:credentials --reset HEROKU_POSTGRESQL_COLORHERE.

At this we have mitigated exposure to the Heartbleed bug across the platform.

Update

Our engineering and security teams are still working to make sure we've closed off all areas that might be vulnerable to Heartbleed.

Update

All SSL endpoints have been patched against the Heartbleed vulnerability.

We strongly advise customers with apps that use SSL Endpoint to generate a new private key, then use the new key to have the certificate reissued by its issuer. With the newly signed certificate, proceed to update your SSL endpoint.

Please contact your SSL certificate provider if you have questions about generating new keys or reissuing certificates with the new key.

As an extra precaution we also recommend that you change your Heroku account password, which will also revoke your existing API key.

Update

All EU-based SSL endpoints have been patched against the Heartbleed vulnerability. We continue to make progress on SSL Endpoints in the US region, but we do not yet have an ETA on when this will be complete.

We strongly advise customers with apps in the EU region only that use SSL Endpoint to generate a new private key, then use the new key to have the certificate reissued by its issuer. With the newly signed certificate, proceed to update your SSL endpoint.

Please contact your SSL certificate provider if you have questions about generating new keys or reissuing certificates.

To reiterate, this relates only to applications located in the EU region at this time. Applications running in the US region should wait on re-keying their certificates for now.

Issue

Our Heartbleed response is ongoing. Patching of vulnerable instances is continuing as expected. We will post another update in 3 hours, if not sooner.

Investigating

We are continuing our work in response to the Heartbleed issue. Patching of vulnerable instances is in progress. Once it is safe to do so, we will notify you that it is safe to install new SSL keys and certs. We'll post an update in 3 hours, if not sooner.

Investigating

We are aware that the OpenSSL Heartbleed issue affects ssl:endpoint and ssl:hostname. We're working with our provider to upgrade our systems and will notify you when it is safe to install new ssl keys and certs. We are currently not recommending that you turn off ssl:endpoint but you will need to regenerate your private key and reissue your SSL certificate after the upgrade is complete.

Investigating

We're continuing our response to the OpenSSL Heartbleed Issue. We'll post an update in 3 hours, if not sooner.

Investigating

We're aware of the OpenSSL Heartbleed bug. Our security team and engineers are diligently working to assess and remediate any exposure as quickly as possible. We'll keep you updated as things progress. Updates to follow.

← Current Status