Heartbleed Vulnerability and Moodle, change your password at

--- Advertisement ---

Post Pages - Post Inline - WIRIS

If you’re running Moodle over HTTPS with an SSL certificate you may need to patch your Moodle server to remove the vulnerability known as Heartbleed. As stated by Matthew Spurrier, Moodle HQ Systems Administrator,

This vulnerability allows exploitation of the heartbeat mechanism within TLS in order to read 64k of addressable server memory at one time, potentially allowing the leakage of sensitive information, including SSL private keys, usernames, passwords, and other details not normally accessible over encrypted SSL communication channels.

The vulnerability, introduced in December 2011, affects OpenSSL versions 1.0.1 through 1.0.1f, covering a significant portion of SSL websites across the world.

I can confirm that like many other sites, was vulnerable to this issue.

On Tuesday (8/4/14) all Moodle servers were patched for the vulnerability, and as the vulnerability does not leave any signs as to whether a system has been exploited, I have re-keyed and re-signed our SSL certificates to ensure that in the event our private key was leaked, our communications will not be compromised.

There is, however, one major concern remaining. As there is the potential to read all data including usernames and passwords, your accounts may or may not have been compromised.

hbleedTherefore, as many sites have advised is now recommending that all users change their passwords as a precaution.

Read more about the vulnerability and what you can do to fix it at

As a Moodlerooms client, my company StraighterLine was advised of this vulnerability early this week and verified that our site was not susceptible to the issue but that preventative measures were taken regardless to update and patch existing code and update secure and secret keys. A scary time indeed. Kudos to Moodlerooms for a proactive communication strategy and approach to the issue.

Whether you’re an admin or just a user there are three main tasks (though some are not applicable to all users).

  1. change your password immediately at (and adopt a strong password convention)
  2. update Open SSL for any sites using HTTPS and re-key/re-sign certificates
  3. if you are using MNET updates OpenSSL and re-key/re-sign MNET certificates



2 Responses

  1. It’s important to note that it’s not just web servers (https) that are affected.
    The bug affects tls, thus servers such as mail servers (SMTP/pop3/IMAP etc), jabber (xmpp), and many other daemons relying on tls encryption are also vulnerable and should be updated – don’t forget these!

    The test tool mentioned on my post can test any tls port for the vulnerability, so make sure you follow the test and fix procedures on all of your services ;).


  2. Matt, thanks for the additional information and tools to help Moodlers address this vulnerability.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The Latest

The eLearn Podcast

--- Advertisement ---

Post Pages - Sidebar 4 - CourseMerchant

--- Advertisement ---

Post Pages - Sidebar 7 - Titus Learning

--- Advertisement ---

Post Pages - Sidebar 5 - Edwiser (RemUI)

Subscribe to our newsletter

Education technology has the power to change lives. 

To get the latest news, information and resources about online learning from around the world by clicking on the button below.