Carnegie Mellon University Website Home Page

Security Status: Heartbleed Bug

What is the Heartbleed Bug? Announced on April 7, 2014, a security vulnerability called Heartbleed allows attackers to collect information that is expected to be encrypted including encryption keys, session cookies, credit card numbers, passwords, and social security numbers. More details...

Whom does this affect? Individuals accessing websites or other services running vulnerable versions of OpenSSL. OpenSSL is used to establish encrypted communications, for example when accessing an on-line banking site. We often associate these encrypted connections with a secure "https" URL or a closed padlock indicating a secure connection.

IMPORTANT! Your Andrew Password does not need to be changed at this time, if this changes we will contact you. See exceptions in the Services Status table below.

In these cases, Computing Services strives to provide as much notice as possible at Questions or comments should be directed to the Computing Services Help Center at 412-268-HELP or

Services Status

Review the table below for information on CMU services affected by the Heartbleed Bug. To check non-CMU services, refer to the service vendor and check the CNET Heartbleed Status List.




Andrew Password NOT VULNERABLE
  • Your Andrew Password does not need to be changed at this time. However, if you've reused your Andrew password for any other account, you should change your Andrew password as an added precaution.
  • Set a unique password and do NOT reuse it, refer to Guidelines for Password Management for more information.
  • Those who need to change their local Box passwords were notified.
  • If you were not notified, no further action is necessary.
Google Apps @ CMU PATCHED Note: Your Google Apps @ CMU password is separate from your Andrew password. Your Andrew password was not affected and does NOT need to be changed. See exception above. PATCHED
  •  No additional action required.
Virtual Andrew
  • Web Access: NOT VULNERABLE. Service was restored on Monday (April 28).
  • Windows Desktop Client: Update to the latest version from the VMware View page.
  • Mobile Apps: Apply the latest updates to your mobile device through the Google Play Store and the Apple App Store
WebLogin Restricted Services PATCHED
  •  No additional action required.
Webmail (OWA, Cyrus Webmail) NOT VULNERABLE
  •  No additional action required.

Last updated: 04/28/14