The Federal Financial Institutions Examination Council said on Thursday that it expects firms to address a recently revealed OpenSLL vulnerability dubbed “Heartbleed.”
FFIEC said that financial institutions should upgrade systems and incorporate patches on systems and services, applications, and appliances that use OpenSSL as soon as possible. Additionally, such institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service using OpenSSL and consider requiring users and administrators to change passwords after applying the patch.
For financial institutions that rely on third-party service providers, FFIEC said that providers should be made aware of the vulnerability and are taking appropriate mitigation action.
The cryptographic software library OpenSSL is used to authenticate services and encrypt sensitive information. The Heartbleed vulnerability potentially allows attacks to decrypt, spoof or perform attacks on network communications that would otherwise be protected.