 Federal Financial Institutions Examination Council |
Press Release
|
| For Immediate Release | April 10, 2014 |
Financial Regulators Expect Firms to Address OpenSSL “Heartbleed” Vulnerability
The Federal Financial Institutions Examination Council (FFIEC) members expect financial institutions to incorporate patches on systems and services, applications, and appliances using OpenSSL and upgrade systems as soon as possible to address the vulnerability. Financial institutions should consider replacing private keys and X.509 encryption certificates after applying the patch for each service that uses OpenSSL and consider requiring users and administrators to change passwords after applying the patch. Financial institutions relying upon third-party service providers should ensure those providers are aware of the vulnerability and are taking appropriate mitigation action.
OpenSSL is a cryptographic software library used to authenticate services and encrypt sensitive information. A significant vulnerability has been found in OpenSSL that could allow an attacker to decrypt, spoof, or perform attacks on network communications that would otherwise be protected by encryption.
The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms, and to promote uniformity in the supervision of financial institutions. The Council has six voting members: a Governor of the Board of Governors of the Federal Reserve System, designated by the Chairman of the Board; the Chairman of the Federal Deposit Insurance Corporation; the Chairman of the Board of the National Credit Union Administration; the Comptroller of the Currency; the Director of the Consumer Financial Protection Bureau; and the Chairman of the State Liaison Committee. The Council's activities are supported by interagency task forces and by an advisory State Liaison Committee, comprised of five representatives of state agencies that supervise financial institutions.
###
Attachment:
OpenSSL Vulnerability Alert (PDF)
References:
US-CERT OpenSSL”Heartbleed” Vulnerability CVE-2014-0160
https://www.us-cert.gov/ncas/alerts/TA14-098A
FFIEC IT Examination Handbook, Devleopment and Acquisition
http://ithandbook.ffiec.gov/it-booklets/development-and-acquisition.aspx
FFIEC IT Examination Handbook, Information Security
http://ithandbook.ffiec.gov/it-booklets/information-security.aspx
FFIEC IT Examination Handbook, Operations
http://ithandbook.ffiec.gov/it-booklets/operations.aspx
Media Contacts:
| CFPB | Sam Gilford | (202) 435-7673 |
| FDIC | Greg Hernandez | (202) 898-6984 | Federal Reserve | Barbara Hagenbaugh | (202) 452-2955 |
| NCUA | Ben Hardaway | (703) 518-6333 |
| OCC | Stephanie Collins | (202) 649-6870 |
| SLC | Catherine Woody | (202) 728-5733 |
Maintained by the FFIEC. For suggestions regarding this site, Contact Us.
Last Modified: 04/15/2020 11:10 AM
