April 7, 2014 - OpenSSL security vulnerability

Recently CVE-2014-0160 was discovered and is a vulnerability that affect the 1.0.1 and 1.0.2 branches of OpenSSL

https://www.openssl.org/news/secadv_20140407.txt

Our stacks use stable versions on 0.9.8y and 1.0.0j which are not included in this issue.

We do offer Amazon Elastic Load Balancer support and it runs 1.0.1 and is reported to be affected by this https://forums.aws.amazon.com/thread.jspa?threadID=149690 and are waiting for an update from Amazon.

The Heartbleed website describes this vulnerability as able to obtain the private keys meaning if you are using SSL certificate on ELB, you will need to contact your SSL provider to revoke and reissue the certificates and may need to reprovision the ELB. We are still waiting for information on if you can upload replacement certificates or if you will need to delete the ELB and create a new one and update the CNAME and other DNS records.

What to do:
If you are on our EY on Terramark offering or EY on AWS and do not use ELB you have nothing to do.
If you are using ELB, you should prepare to revoke and reissue your SSL certificate and possibly update your DNS.
If your are on our New UI (Ubunutu stack) you should prepare to revoke and reissue your SSL certificate used on those environments and run "sudo apt-get install openssl" on each of your instances.

Resources:
https://www.openssl.org/news/secadv_20140407.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://heartbleed.com
https://support.cloud.engineyard.com/entries/21009842-Engine-Yard-Gentoo-2009-Technology-Stack
https://support.cloud.engineyard.com/entries/23022773-Engine-Yard-Gentoo-12-11-Technology-Stack
https://support.cloud.engineyard.com/entries/39367473-Engine-Yard-Ubuntu-12-04-Technology-Stack
https://lists.ubuntu.com/archives/ubuntu-security-announce/2014-April/002460.html

 

Update April 8th, 2014

 

Many questions have come in about the OpenSSL vulnerability. The Engine Yard stacks on Gentoo are not currently running a version of OpenSSL greater than 1.0.0, which removes it from the scope of this vulnerability. The current issue facing our customers with this vulnerability presents itself with the use of AWS ELB’s and our Ubuntu offerings, which do run a version of OpenSSL that is vulnerable in CVE-2014-0160.

Today, AWS announced that they have updated their ELB offerings to address the vulnerability:https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/ Contrary to the statement in the link, all ELBs in use by Engine Yard, and in the Engine Yard pool of resources, have been updated in all regions, including US East.

At this time, if you have been using an ELB in your environment, it is recommended that you rotate your SSL certificates. If running on our Ubuntu, Engine Yard Support can verify that your environment is secure.

You can verify if your application is vulnerable by using a validation tool. An example of one of these tools is http://filippo.io/Heartbleed/.

Comments

0 comments

Article is closed for comments.