You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Paul Angus <pa...@shapeblue.com> on 2014/04/08 17:12:12 UTC

OpenSSL vunerability (bleedheart)

A vulnerability has been found in OpenSSL

http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1

Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such releases as
Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.

It is fixed in OpenSSL 1.0.1g

>From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9

"Statement:
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e."

XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification version (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected.

Regards,

Paul Angus
Senior Consultant / Cloud Architect
[cid:image003.png@01CEF0F0.9C9104D0]

S: +44 20 3603 0540<tel:+442036030540> | M: +4<tel:+447968161581>47711418784 | T: @CloudyAngus
paul.angus@shapeblue.com<ma...@shapeblue.com> | www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<https://twitter.com/>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS

Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the best 24/7 SLA for CloudStack Environments.

Apache CloudStack Bootcamp training courses

**NEW!** CloudStack 4.2.1 training<http://shapeblue.com/cloudstack-training/>
28th-29th May 2014, Bangalore. Classromm<http://shapeblue.com/cloudstack-training/>
16th-20th June 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
23rd-27th June 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
15th-20th September 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
22nd-27th September 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
1st-6th December 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
8th-12th December 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>

This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: OpenSSL vunerability (bleedheart)

Posted by Erik Weber <te...@gmail.com>.

Shouldn't the parts using realhostip.com be using ssl? Atleast pre 4.3?

Erik
9. apr. 2014 18:47 skrev "Marcus" <sh...@gmail.com> følgende:

> Maybe the console? I haven't used that in forever, does it do SSL?
>
> On Wed, Apr 9, 2014 at 10:31 AM, Nux! <nu...@li.nux.ro> wrote:
> > On 09.04.2014 17:21, Marcus wrote:
> >>
> >> Should just pull in the latest and work, if we're talking about
> >> building a fresh system vm.
> >>
> >> Do we even have any services running in the system vm that require an
> >> update?  We don't do SSL termination with haproxy for load balancers
> >> (yet), and I don't think that the apache web stuff for
> >> userdata/passwords is ssl, is it? From what I've seen, SSH doesn't
> >> even use the OpenSSL libs... I'm trying to think of a service that
> >> would be affected. We definitely want to push the latest, but I'm just
> >> wondering what actual urgency there should be for users to update
> >> their system vms.
> >
> >
> > Yes, that is actually a good point. I thought by the panic of the devs
> that
> > there is obviously stuff running there that is exposed to the interwebs.
> > It'd be nice if there wasn't any. :)
> >
> >
> > Lucian
> >
> > --
> > Sent from the Delta quadrant using Borg technology!
> >
> > Nux!
> > www.nux.ro
>

Re: OpenSSL vunerability (bleedheart)

Posted by Marcus <sh...@gmail.com>.

Maybe the console? I haven't used that in forever, does it do SSL?

On Wed, Apr 9, 2014 at 10:31 AM, Nux! <nu...@li.nux.ro> wrote:
> On 09.04.2014 17:21, Marcus wrote:
>>
>> Should just pull in the latest and work, if we're talking about
>> building a fresh system vm.
>>
>> Do we even have any services running in the system vm that require an
>> update?  We don't do SSL termination with haproxy for load balancers
>> (yet), and I don't think that the apache web stuff for
>> userdata/passwords is ssl, is it? From what I've seen, SSH doesn't
>> even use the OpenSSL libs... I'm trying to think of a service that
>> would be affected. We definitely want to push the latest, but I'm just
>> wondering what actual urgency there should be for users to update
>> their system vms.
>
>
> Yes, that is actually a good point. I thought by the panic of the devs that
> there is obviously stuff running there that is exposed to the interwebs.
> It'd be nice if there wasn't any. :)
>
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Nux! <nu...@li.nux.ro>.

On 09.04.2014 17:21, Marcus wrote:
> Should just pull in the latest and work, if we're talking about
> building a fresh system vm.
> 
> Do we even have any services running in the system vm that require an
> update?  We don't do SSL termination with haproxy for load balancers
> (yet), and I don't think that the apache web stuff for
> userdata/passwords is ssl, is it? From what I've seen, SSH doesn't
> even use the OpenSSL libs... I'm trying to think of a service that
> would be affected. We definitely want to push the latest, but I'm just
> wondering what actual urgency there should be for users to update
> their system vms.

Yes, that is actually a good point. I thought by the panic of the devs 
that there is obviously stuff running there that is exposed to the 
interwebs.
It'd be nice if there wasn't any. :)

Lucian

-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Marcus <sh...@gmail.com>.

Should just pull in the latest and work, if we're talking about
building a fresh system vm.

Do we even have any services running in the system vm that require an
update?  We don't do SSL termination with haproxy for load balancers
(yet), and I don't think that the apache web stuff for
userdata/passwords is ssl, is it? From what I've seen, SSH doesn't
even use the OpenSSL libs... I'm trying to think of a service that
would be affected. We definitely want to push the latest, but I'm just
wondering what actual urgency there should be for users to update
their system vms.

On Wed, Apr 9, 2014 at 10:12 AM, Rayees Namathponnan
<ra...@citrix.com> wrote:
> Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has openssl 1.0.1e-2+deb7u4 ?
>
> Is there any code change required to create system template with openssl  1.0.1e-2+deb7u6  ?
>
> Regards,
> Rayees
>
> -----Original Message-----
> From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
> Sent: Wednesday, April 09, 2014 5:15 AM
> To: <de...@cloudstack.apache.org>
> Subject: Re: OpenSSL vunerability (bleedheart)
>
> Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6.
>
> It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network.
>
> -Harikrishna
>
> On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro> wrote:
>
>> On 09.04.2014 12:04, Abhinandan Prateek wrote:
>>> Latest jenkins build template have openSSL version 1.0.1e, the
>>> version that is compromised.
>>
>> Guys, do not panic.
>> It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.
>>
>> After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:
>>
>> "aptitude changelog openssl" says:
>>
>> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>>
>>  * Non-maintainer upload by the Security Team.
>>  * Enable checking for services that may need to be restarted
>>  * Update list of services to possibly restart
>>
>> -- Salvatore Bonaccorso <ca...@debian.org>  Tue, 08 Apr 2014 10:44:53
>> +0200
>>
>> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>>
>>  * Non-maintainer upload by the Security Team.
>>  * Add CVE-2014-0160.patch patch.
>>    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>>    A missing bounds check in the handling of the TLS heartbeat extension
>>    can be used to reveal up to 64k of memory to a connected client or
>>    server.
>>
>> -- Salvatore Bonaccorso <ca...@debian.org>  Mon, 07 Apr 2014 22:26:55
>> +0200
>>
>> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
>>
>> Lucian
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro
>

Re: OpenSSL vunerability (bleedheart)

Posted by Marcus <sh...@gmail.com>.

Thanks, that's great clarification.

On Wed, Apr 9, 2014 at 12:15 PM, Animesh Chaturvedi
<an...@citrix.com> wrote:
> Courtesy Chiradeep
>
>
> - CPVM uses JSSE so that should not be affected
> - VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any transport
> - The only vulnerable service is the volume upload service and template copy. The latter is between 2 trusted IPs
> - Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected
>
> Thanks
> Animesh
>> -----Original Message-----
>> From: John Kinsella [mailto:jlk@stratosec.co]
>> Sent: Wednesday, April 09, 2014 11:07 AM
>> To: dev@cloudstack.apache.org
>> Subject: Re: OpenSSL vunerability (bleedheart)
>>
>> I want to address a few things here directly (I think these are covered in the
>> blog post, if not ping me)
>>
>> * Current SSVM from 4.3 is not good enough.
>> * Yes, each SystemVM runs software that needs OpenSSL. For the curious,
>> see "lsof|grep -i ssl"
>> * I'm not sure if the current SystemVM template on Jenkins is secure, we're
>> testing that currently and will update once confirmed.
>> * Assume if you see us releasing a blog post about a security issue, there's a
>> security issue (QED HTH HAND)
>> * Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP,
>> it doesn't matter what version of OSSL you use, you're still insecure. Horse:
>> beaten.
>> * Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again.
>>
>> I think that covers the questions...running around doing a few things but this
>> is very high on our priority list.
>>
>> (snarky comments are meant to be funny not insulting/condescending)
>>
>> On Apr 9, 2014, at 10:19 AM, John Kinsella
>> <jl...@stratosec.co>> wrote:
>>
>> To my knowledge, no code change is necessary just a rebuild.  - j
>>
>> Please excuse typos - sent from mobile device.
>>
>> ----- Reply message -----
>> From: "Rayees Namathponnan"
>> <rayees.namathponnan@citrix.com<mailto:rayees.namathponnan@citrix.co
>> m>>
>> To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>"
>> <de...@cloudstack.apache.org>>
>> Subject: OpenSSL vunerability (bleedheart)
>> Date: Wed, Apr 9, 2014 10:13 AM
>>
>> Even if we get latest systemvm template from
>> http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it
>> has openssl 1.0.1e-2+deb7u4 ?
>>
>> Is there any code change required to create system template with openssl
>> 1.0.1e-2+deb7u6  ?
>>
>> Regards,
>> Rayees
>>
>> -----Original Message-----
>> From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
>> Sent: Wednesday, April 09, 2014 5:15 AM
>> To: <de...@cloudstack.apache.org>>
>> Subject: Re: OpenSSL vunerability (bleedheart)
>>
>> Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
>> openssl to get 1.0.1e-2+deb7u6.
>>
>> It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test
>> OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
>> network.
>>
>> -Harikrishna
>>
>> On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro>>
>> wrote:
>>
>> On 09.04.2014 12:04, Abhinandan Prateek wrote:
>> Latest jenkins build template have openSSL version 1.0.1e, the version that is
>> compromised.
>>
>> Guys, do not panic.
>> It is my understanding that in Debian, just like in RHEL, major versions will
>> not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they
>> will backport stuff.
>>
>> After I did an "apt-get update && apt-get install openssl" I got package
>> version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
>> according to the changelog:
>>
>> "aptitude changelog openssl" says:
>>
>> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>>
>> * Non-maintainer upload by the Security Team.
>> * Enable checking for services that may need to be restarted
>> * Update list of services to possibly restart
>>
>> -- Salvatore Bonaccorso <ca...@debian.org>>
>> Tue, 08 Apr 2014 10:44:53
>> +0200
>>
>> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>>
>> * Non-maintainer upload by the Security Team.
>> * Add CVE-2014-0160.patch patch.
>>   CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>>   A missing bounds check in the handling of the TLS heartbeat extension
>>   can be used to reveal up to 64k of memory to a connected client or
>>   server.
>>
>> -- Salvatore Bonaccorso <ca...@debian.org>>
>> Mon, 07 Apr 2014 22:26:55
>> +0200
>>
>> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then
>> they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
>>
>> Lucian
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro<http://www.nux.ro>
>>
>>
>> Stratosec<http://stratosec.co/> - Compliance as a Service
>> o: 415.315.9385
>> @johnlkinsella<http://twitter.com/johnlkinsella>
>

Re: OpenSSL vunerability (bleedheart)

Posted by Chiradeep Vittal <Ch...@citrix.com>.

Yeah, SSVM is definitely vulnerable since it now provides a volume download service.

From: John Kinsella <jl...@stratosec.co>>
Reply-To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
Date: Wednesday, April 9, 2014 at 1:38 PM
To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

CPVM runs a monit daemon which is at least linked to libssl. I haven’t taken more than peek at that yet - I think SSL is configured off by default but…yeah sorry will have to look at that closer.

Regarding the trusted IPs - I only attempted to test one SSVM from http://filippo.io/Heartbleed/ and it was a) publicly accessible and b) vulnerable, so trust didn’t really enter into the equation.

I already adjusted the blog post re: VR and earlier versions of ACS.

John

On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi <an...@citrix.com>> wrote:

Courtesy Chiradeep

- CPVM uses JSSE so that should not be affected
- VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any transport
- The only vulnerable service is the volume upload service and template copy. The latter is between 2 trusted IPs
- Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected

Thanks
Animesh
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Wednesday, April 09, 2014 11:07 AM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

I want to address a few things here directly (I think these are covered in the
blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
see "lsof|grep -i ssl"
* I'm not sure if the current SystemVM template on Jenkins is secure, we're
testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue, there's a
security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP,
it doesn't matter what version of OSSL you use, you're still insecure. Horse:
beaten.
* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again.

I think that covers the questions...running around doing a few things but this
is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella
<jl...@stratosec.co>> wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan"
<ra...@citrix.com><mailto:rayees.namathponnan@citrix.co
m>>
To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>"
<de...@cloudstack.apache.org>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it
has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl
1.0.1e-2+deb7u6  ?

Regards,
Rayees

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: <de...@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro>>
wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version that is
compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will
not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they
will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package
version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso <ca...@debian.org>>
Tue, 08 Apr 2014 10:44:53
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

-- Salvatore Bonaccorso <ca...@debian.org>>
Mon, 07 Apr 2014 22:26:55
+0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then
they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro><http://www.nux.ro>

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: OpenSSL vunerability (bleedheart)

Posted by John Kinsella <jl...@stratosec.co>.

root@v-14-VM:~# lsof|grep -i ssl
monit     11461       root  mem       REG      254,7   358880      15115 /usr/lib/i386-linux-gnu/i686/cmov/libssl.so.1.0.0
root@v-14-VM:~# ps -ef|grep monit
root     11461     1  0 Apr09 ?        00:00:02 /usr/bin/monit -c /etc/monit/monitrc

On Apr 9, 2014, at 9:10 PM, Kelven Yang <ke...@citrix.com>> wrote:

What is the process name of that daemon in CPVM? I remember that we only
have SSH and HTTPS port open in console proxy, and the later one is
running Java based SSL engine.

Kelven

On 4/9/14, 1:38 PM, "John Kinsella" <jl...@stratosec.co>> wrote:

CPVM runs a monit daemon which is at least linked to libssl. I haven¹t
taken more than peek at that yet - I think SSL is configured off by
default butŠyeah sorry will have to look at that closer.

Regarding the trusted IPs - I only attempted to test one SSVM from
http://filippo.io/Heartbleed/ and it was a) publicly accessible and b)
vulnerable, so trust didn¹t really enter into the equation.

I already adjusted the blog post re: VR and earlier versions of ACS.

John

On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi
<an...@citrix.com>>
wrote:

Courtesy Chiradeep


- CPVM uses JSSE so that should not be affected
- VR is not affected since it does not offer any HTTPS/TLS service. The
RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any
transport
- The only vulnerable service is the volume upload service and template
copy. The latter is between 2 trusted IPs
- Also this should only affect SSVM template from 4.2 onwards as only
wheezy is affected

Thanks
Animesh
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Wednesday, April 09, 2014 11:07 AM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

I want to address a few things here directly (I think these are covered
in the
blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
see "lsof|grep -i ssl"
* I'm not sure if the current SystemVM template on Jenkins is secure,
we're
testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue,
there's a
security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you're using
realhostIP,
it doesn't matter what version of OSSL you use, you're still insecure.
Horse:
beaten.
* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated
again.

I think that covers the questions...running around doing a few things but
this
is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella
<jl...@stratosec.co>>
wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan"
<ra...@citrix.com><mai
lto:rayees.namathponnan@citrix.co<http://citrix.co>
m>>
To:
"dev@cloudstack.apache.org<ma...@cloudstack.apache.org><mailto:dev@cl
oudstack.apache.org<http://oudstack.apache.org>>"
<de...@cloudstack.apache.org><mailto:dev@cl
oudstack.apache.org<http://oudstack.apache.org>>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . ,
it
has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl
1.0.1e-2+deb7u6  ?

Regards,
Rayees

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To:
<de...@cloudstack.apache.org><mailto:dev@cl
oudstack.apache.org<http://oudstack.apache.org>>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and
test
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux!
<nu...@li.nux.ro>>
wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version
that is
compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions
will
not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but
they
will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package
version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso
<ca...@debian.org>>
Tue, 08 Apr 2014 10:44:53
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

-- Salvatore Bonaccorso
<ca...@debian.org>>
Mon, 07 Apr 2014 22:26:55
+0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then
they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro><http://www.nux.ro><http://www.nux.ro>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>



Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: OpenSSL vunerability (bleedheart)

Posted by Kelven Yang <ke...@citrix.com>.

What is the process name of that daemon in CPVM? I remember that we only
have SSH and HTTPS port open in console proxy, and the later one is
running Java based SSL engine.

Kelven

On 4/9/14, 1:38 PM, "John Kinsella" <jl...@stratosec.co> wrote:

>CPVM runs a monit daemon which is at least linked to libssl. I haven¹t
>taken more than peek at that yet - I think SSL is configured off by
>default butŠyeah sorry will have to look at that closer.
>
>Regarding the trusted IPs - I only attempted to test one SSVM from
>http://filippo.io/Heartbleed/ and it was a) publicly accessible and b)
>vulnerable, so trust didn¹t really enter into the equation.
>
>I already adjusted the blog post re: VR and earlier versions of ACS.
>
>John
>
>On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi
><an...@citrix.com>>
>wrote:
>
>Courtesy Chiradeep
>
>
>- CPVM uses JSSE so that should not be affected
>- VR is not affected since it does not offer any HTTPS/TLS service. The
>RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any
>transport
>- The only vulnerable service is the volume upload service and template
>copy. The latter is between 2 trusted IPs
>- Also this should only affect SSVM template from 4.2 onwards as only
>wheezy is affected
>
>Thanks
>Animesh
>-----Original Message-----
>From: John Kinsella [mailto:jlk@stratosec.co]
>Sent: Wednesday, April 09, 2014 11:07 AM
>To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>
>Subject: Re: OpenSSL vunerability (bleedheart)
>
>I want to address a few things here directly (I think these are covered
>in the
>blog post, if not ping me)
>
>* Current SSVM from 4.3 is not good enough.
>* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
>see "lsof|grep -i ssl"
>* I'm not sure if the current SystemVM template on Jenkins is secure,
>we're
>testing that currently and will update once confirmed.
>* Assume if you see us releasing a blog post about a security issue,
>there's a
>security issue (QED HTH HAND)
>* Realhostip uses SSL, but not on the SystemVMs. If you're using
>realhostIP,
>it doesn't matter what version of OSSL you use, you're still insecure.
>Horse:
>beaten.
>* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated
>again.
>
>I think that covers the questions...running around doing a few things but
>this
>is very high on our priority list.
>
>(snarky comments are meant to be funny not insulting/condescending)
>
>On Apr 9, 2014, at 10:19 AM, John Kinsella
><jl...@stratosec.co>>
>wrote:
>
>To my knowledge, no code change is necessary just a rebuild.  - j
>
>Please excuse typos - sent from mobile device.
>
>----- Reply message -----
>From: "Rayees Namathponnan"
><ra...@citrix.com><mai
>lto:rayees.namathponnan@citrix.co
>m>>
>To: 
>"dev@cloudstack.apache.org<ma...@cloudstack.apache.org><mailto:dev@cl
>oudstack.apache.org>"
><de...@cloudstack.apache.org><mailto:dev@cl
>oudstack.apache.org>>
>Subject: OpenSSL vunerability (bleedheart)
>Date: Wed, Apr 9, 2014 10:13 AM
>
>Even if we get latest systemvm template from
>http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . ,
>it
>has openssl 1.0.1e-2+deb7u4 ?
>
>Is there any code change required to create system template with openssl
>1.0.1e-2+deb7u6  ?
>
>Regards,
>Rayees
>
>-----Original Message-----
>From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
>Sent: Wednesday, April 09, 2014 5:15 AM
>To: 
><de...@cloudstack.apache.org><mailto:dev@cl
>oudstack.apache.org>>
>Subject: Re: OpenSSL vunerability (bleedheart)
>
>Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
>openssl to get 1.0.1e-2+deb7u6.
>
>It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and
>test
>OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
>network.
>
>-Harikrishna
>
>On 09-Apr-2014, at 5:00 pm, Nux!
><nu...@li.nux.ro>>
>wrote:
>
>On 09.04.2014 12:04, Abhinandan Prateek wrote:
>Latest jenkins build template have openSSL version 1.0.1e, the version
>that is
>compromised.
>
>Guys, do not panic.
>It is my understanding that in Debian, just like in RHEL, major versions
>will
>not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but
>they
>will backport stuff.
>
>After I did an "apt-get update && apt-get install openssl" I got package
>version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
>according to the changelog:
>
>"aptitude changelog openssl" says:
>
>openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>
>* Non-maintainer upload by the Security Team.
>* Enable checking for services that may need to be restarted
>* Update list of services to possibly restart
>
>-- Salvatore Bonaccorso
><ca...@debian.org>>
>Tue, 08 Apr 2014 10:44:53
>+0200
>
>openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>
>* Non-maintainer upload by the Security Team.
>* Add CVE-2014-0160.patch patch.
> CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
> A missing bounds check in the handling of the TLS heartbeat extension
> can be used to reveal up to 64k of memory to a connected client or
> server.
>
>-- Salvatore Bonaccorso
><ca...@debian.org>>
>Mon, 07 Apr 2014 22:26:55
>+0200
>
>In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then
>they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
>
>Lucian
>
>--
>Sent from the Delta quadrant using Borg technology!
>
>Nux!
>www.nux.ro<http://www.nux.ro><http://www.nux.ro>
>
>
>Stratosec<http://stratosec.co/> - Compliance as a Service
>o: 415.315.9385
>@johnlkinsella<http://twitter.com/johnlkinsella>
>
>
>Stratosec<http://stratosec.co/> - Compliance as a Service
>o: 415.315.9385
>@johnlkinsella<http://twitter.com/johnlkinsella>
>

Re: OpenSSL vunerability (bleedheart)

Posted by John Kinsella <jl...@stratosec.co>.

CPVM runs a monit daemon which is at least linked to libssl. I haven’t taken more than peek at that yet - I think SSL is configured off by default but…yeah sorry will have to look at that closer.

Regarding the trusted IPs - I only attempted to test one SSVM from http://filippo.io/Heartbleed/ and it was a) publicly accessible and b) vulnerable, so trust didn’t really enter into the equation.

I already adjusted the blog post re: VR and earlier versions of ACS.

John

On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi <an...@citrix.com>> wrote:

Courtesy Chiradeep


- CPVM uses JSSE so that should not be affected
- VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any transport
- The only vulnerable service is the volume upload service and template copy. The latter is between 2 trusted IPs
- Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected

Thanks
Animesh
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Wednesday, April 09, 2014 11:07 AM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

I want to address a few things here directly (I think these are covered in the
blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
see "lsof|grep -i ssl"
* I'm not sure if the current SystemVM template on Jenkins is secure, we're
testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue, there's a
security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP,
it doesn't matter what version of OSSL you use, you're still insecure. Horse:
beaten.
* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again.

I think that covers the questions...running around doing a few things but this
is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella
<jl...@stratosec.co>> wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan"
<ra...@citrix.com><mailto:rayees.namathponnan@citrix.co
m>>
To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>"
<de...@cloudstack.apache.org>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it
has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl
1.0.1e-2+deb7u6  ?

Regards,
Rayees

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: <de...@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro>>
wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version that is
compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will
not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they
will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package
version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso <ca...@debian.org>>
Tue, 08 Apr 2014 10:44:53
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
 CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
 A missing bounds check in the handling of the TLS heartbeat extension
 can be used to reveal up to 64k of memory to a connected client or
 server.

-- Salvatore Bonaccorso <ca...@debian.org>>
Mon, 07 Apr 2014 22:26:55
+0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then
they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro><http://www.nux.ro>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

RE: OpenSSL vunerability (bleedheart)

Posted by Animesh Chaturvedi <an...@citrix.com>.

Courtesy Chiradeep


- CPVM uses JSSE so that should not be affected
- VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any transport
- The only vulnerable service is the volume upload service and template copy. The latter is between 2 trusted IPs
- Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected

Thanks
Animesh
> -----Original Message-----
> From: John Kinsella [mailto:jlk@stratosec.co]
> Sent: Wednesday, April 09, 2014 11:07 AM
> To: dev@cloudstack.apache.org
> Subject: Re: OpenSSL vunerability (bleedheart)
> 
> I want to address a few things here directly (I think these are covered in the
> blog post, if not ping me)
> 
> * Current SSVM from 4.3 is not good enough.
> * Yes, each SystemVM runs software that needs OpenSSL. For the curious,
> see "lsof|grep -i ssl"
> * I'm not sure if the current SystemVM template on Jenkins is secure, we're
> testing that currently and will update once confirmed.
> * Assume if you see us releasing a blog post about a security issue, there's a
> security issue (QED HTH HAND)
> * Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP,
> it doesn't matter what version of OSSL you use, you're still insecure. Horse:
> beaten.
> * Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again.
> 
> I think that covers the questions...running around doing a few things but this
> is very high on our priority list.
> 
> (snarky comments are meant to be funny not insulting/condescending)
> 
> On Apr 9, 2014, at 10:19 AM, John Kinsella
> <jl...@stratosec.co>> wrote:
> 
> To my knowledge, no code change is necessary just a rebuild.  - j
> 
> Please excuse typos - sent from mobile device.
> 
> ----- Reply message -----
> From: "Rayees Namathponnan"
> <rayees.namathponnan@citrix.com<mailto:rayees.namathponnan@citrix.co
> m>>
> To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>"
> <de...@cloudstack.apache.org>>
> Subject: OpenSSL vunerability (bleedheart)
> Date: Wed, Apr 9, 2014 10:13 AM
> 
> Even if we get latest systemvm template from
> http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it
> has openssl 1.0.1e-2+deb7u4 ?
> 
> Is there any code change required to create system template with openssl
> 1.0.1e-2+deb7u6  ?
> 
> Regards,
> Rayees
> 
> -----Original Message-----
> From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
> Sent: Wednesday, April 09, 2014 5:15 AM
> To: <de...@cloudstack.apache.org>>
> Subject: Re: OpenSSL vunerability (bleedheart)
> 
> Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
> openssl to get 1.0.1e-2+deb7u6.
> 
> It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test
> OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
> network.
> 
> -Harikrishna
> 
> On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro>>
> wrote:
> 
> On 09.04.2014 12:04, Abhinandan Prateek wrote:
> Latest jenkins build template have openSSL version 1.0.1e, the version that is
> compromised.
> 
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will
> not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they
> will backport stuff.
> 
> After I did an "apt-get update && apt-get install openssl" I got package
> version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
> according to the changelog:
> 
> "aptitude changelog openssl" says:
> 
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
> 
> * Non-maintainer upload by the Security Team.
> * Enable checking for services that may need to be restarted
> * Update list of services to possibly restart
> 
> -- Salvatore Bonaccorso <ca...@debian.org>>
> Tue, 08 Apr 2014 10:44:53
> +0200
> 
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
> 
> * Non-maintainer upload by the Security Team.
> * Add CVE-2014-0160.patch patch.
>   CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>   A missing bounds check in the handling of the TLS heartbeat extension
>   can be used to reveal up to 64k of memory to a connected client or
>   server.
> 
> -- Salvatore Bonaccorso <ca...@debian.org>>
> Mon, 07 Apr 2014 22:26:55
> +0200
> 
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then
> they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
> 
> Lucian
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro<http://www.nux.ro>
> 
> 
> Stratosec<http://stratosec.co/> - Compliance as a Service
> o: 415.315.9385
> @johnlkinsella<http://twitter.com/johnlkinsella>

RE: OpenSSL vunerability (bleedheart)

Posted by Santhosh Edukulla <sa...@citrix.com>.

Also, If any of our mysql code base is using encryption\decryption\hash  functionalities, which mysql libraries are linked and in turn relies on openssl\libssl, then we may wanted to mention a note to update to fixed version of openssl and recreate new cert keys, and restart mysql to use the new ones. In such cases, does not devel packages also needs to be updated say openssl-devel?

Santhosh
________________________________________
From: John Kinsella [jlk@stratosec.co]
Sent: Wednesday, April 09, 2014 2:06 PM
To: dev@cloudstack.apache.org
Subject: Re: OpenSSL vunerability (bleedheart)

I want to address a few things here directly (I think these are covered in the blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious, see "lsof|grep -i ssl”
* I’m not sure if the current SystemVM template on Jenkins is secure, we’re testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue, there’s a security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you’re using realhostIP, it doesn’t matter what version of OSSL you use, you’re still insecure. Horse: beaten.
* Chiradeep’s correct, 4.1 and older are not vulnerable. Post updated again.

I think that covers the questions…running around doing a few things but this is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella <jl...@stratosec.co>> wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan" <ra...@citrix.com>>
To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl  1.0.1e-2+deb7u6  ?

Regards,
Rayees

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: <de...@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro>> wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the
version that is compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso <ca...@debian.org>>  Tue, 08 Apr 2014 10:44:53
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
  CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
  A missing bounds check in the handling of the TLS heartbeat extension
  can be used to reveal up to 64k of memory to a connected client or
  server.

-- Salvatore Bonaccorso <ca...@debian.org>>  Mon, 07 Apr 2014 22:26:55
+0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro>

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: OpenSSL vunerability (bleedheart)

Posted by John Kinsella <jl...@stratosec.co>.

I want to address a few things here directly (I think these are covered in the blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious, see "lsof|grep -i ssl”
* I’m not sure if the current SystemVM template on Jenkins is secure, we’re testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue, there’s a security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you’re using realhostIP, it doesn’t matter what version of OSSL you use, you’re still insecure. Horse: beaten.
* Chiradeep’s correct, 4.1 and older are not vulnerable. Post updated again.

I think that covers the questions…running around doing a few things but this is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella <jl...@stratosec.co>> wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan" <ra...@citrix.com>>
To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl  1.0.1e-2+deb7u6  ?

Regards,
Rayees

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: <de...@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro>> wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the
version that is compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso <ca...@debian.org>>  Tue, 08 Apr 2014 10:44:53
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
  CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
  A missing bounds check in the handling of the TLS heartbeat extension
  can be used to reveal up to 64k of memory to a connected client or
  server.

-- Salvatore Bonaccorso <ca...@debian.org>>  Mon, 07 Apr 2014 22:26:55
+0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: OpenSSL vunerability (bleedheart)

Posted by John Kinsella <jl...@stratosec.co>.

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan" <ra...@citrix.com>
To: "dev@cloudstack.apache.org" <de...@cloudstack.apache.org>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl  1.0.1e-2+deb7u6  ?

Regards,
Rayees

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: <de...@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro> wrote:

> On 09.04.2014 12:04, Abhinandan Prateek wrote:
>> Latest jenkins build template have openSSL version 1.0.1e, the
>> version that is compromised.
>
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.
>
> After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:
>
> "aptitude changelog openssl" says:
>
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Enable checking for services that may need to be restarted
>  * Update list of services to possibly restart
>
> -- Salvatore Bonaccorso <ca...@debian.org>  Tue, 08 Apr 2014 10:44:53
> +0200
>
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Add CVE-2014-0160.patch patch.
>    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>    A missing bounds check in the handling of the TLS heartbeat extension
>    can be used to reveal up to 64k of memory to a connected client or
>    server.
>
> -- Salvatore Bonaccorso <ca...@debian.org>  Mon, 07 Apr 2014 22:26:55
> +0200
>
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro

RE: OpenSSL vunerability (bleedheart)

Posted by Rayees Namathponnan <ra...@citrix.com>.

Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl  1.0.1e-2+deb7u6  ?

Regards,
Rayees 

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com] 
Sent: Wednesday, April 09, 2014 5:15 AM
To: <de...@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network. 

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro> wrote:

> On 09.04.2014 12:04, Abhinandan Prateek wrote:
>> Latest jenkins build template have openSSL version 1.0.1e, the 
>> version that is compromised.
> 
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.
> 
> After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:
> 
> "aptitude changelog openssl" says:
> 
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
> 
>  * Non-maintainer upload by the Security Team.
>  * Enable checking for services that may need to be restarted
>  * Update list of services to possibly restart
> 
> -- Salvatore Bonaccorso <ca...@debian.org>  Tue, 08 Apr 2014 10:44:53 
> +0200
> 
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
> 
>  * Non-maintainer upload by the Security Team.
>  * Add CVE-2014-0160.patch patch.
>    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>    A missing bounds check in the handling of the TLS heartbeat extension
>    can be used to reveal up to 64k of memory to a connected client or
>    server.
> 
> -- Salvatore Bonaccorso <ca...@debian.org>  Mon, 07 Apr 2014 22:26:55 
> +0200
> 
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
> 
> Lucian
> 
> --
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Harikrishna Patnala <ha...@citrix.com>.

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network. 

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nu...@li.nux.ro> wrote:

> On 09.04.2014 12:04, Abhinandan Prateek wrote:
>> Latest jenkins build template have openSSL version 1.0.1e, the version
>> that is compromised.
> 
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.
> 
> After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:
> 
> "aptitude changelog openssl" says:
> 
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
> 
>  * Non-maintainer upload by the Security Team.
>  * Enable checking for services that may need to be restarted
>  * Update list of services to possibly restart
> 
> -- Salvatore Bonaccorso <ca...@debian.org>  Tue, 08 Apr 2014 10:44:53 +0200
> 
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
> 
>  * Non-maintainer upload by the Security Team.
>  * Add CVE-2014-0160.patch patch.
>    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>    A missing bounds check in the handling of the TLS heartbeat extension
>    can be used to reveal up to 64k of memory to a connected client or
>    server.
> 
> -- Salvatore Bonaccorso <ca...@debian.org>  Mon, 07 Apr 2014 22:26:55 +0200
> 
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
> 
> Lucian
> 
> -- 
> Sent from the Delta quadrant using Borg technology!
> 
> Nux!
> www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Nux! <nu...@li.nux.ro>.

On 09.04.2014 18:34, John Kinsella wrote:
> Folks - unfortunately there’s an error in my blog post last night. On
> Debian, you need to update both openssl and libssl, updating openssl
> by itself is not good enough. I knew this, had it in a draft but
> somehow that didn’t make it into the post. I’ll blame lack of sleep.

The package name is libssl1.0.0 actually, so `apt-get install 
libssl1.0.0`
It will also offer to restart some services that depend on it which is 
handy (though the list is not exhaustive), I chose to reboot all my 
system VMs, just to be sure.

Lucian

-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Marcus <sh...@gmail.com>.

It might be good to add the particulars of what in the system VMs have
problems, so people know what urgency there is. For example, if the
only system vm that has an SSL service running on it is console proxy,
then an immediate mitigation is to focus on updating that (or shut it
down).  It doesn't do much good to have people go to the trouble of
updating all of their routers if the routers aren't running any
affected services. Certainly the instructions are helpful to be safe,
but if we can give people the info about the exposure then they can
decide.

On Wed, Apr 9, 2014 at 11:34 AM, John Kinsella <jl...@stratosec.co> wrote:
> Folks - unfortunately there’s an error in my blog post last night. On Debian, you need to update both openssl and libssl, updating openssl by itself is not good enough. I knew this, had it in a draft but somehow that didn’t make it into the post. I’ll blame lack of sleep.
>
> Blog post has been updated, and I’ve also added instructions for VMWare shops, thanks to Geoff Higginbottom.
>
> I can guarantee that current ACS is vulnerable, and I can attest that with our config (KVM) the notes in the blog post [1] will mitigate the vulnerability.
>
> 1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed
>
> On Apr 9, 2014, at 5:30 AM, Nux! <nu...@li.nux.ro>> wrote:
>
> On 09.04.2014 12:04, Abhinandan Prateek wrote:
> Latest jenkins build template have openSSL version 1.0.1e, the version
> that is compromised.
>
> Guys, do not panic.
> It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.
>
> After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:
>
> "aptitude changelog openssl" says:
>
> openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Enable checking for services that may need to be restarted
>  * Update list of services to possibly restart
>
> -- Salvatore Bonaccorso <ca...@debian.org>>  Tue, 08 Apr 2014 10:44:53 +0200
>
> openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Add CVE-2014-0160.patch patch.
>    CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
>    A missing bounds check in the handling of the TLS heartbeat extension
>    can be used to reveal up to 64k of memory to a connected client or
>    server.
>
> -- Salvatore Bonaccorso <ca...@debian.org>>  Mon, 07 Apr 2014 22:26:55 +0200
>
> In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro<http://www.nux.ro>
>
> Stratosec<http://stratosec.co/> - Compliance as a Service
> o: 415.315.9385
> @johnlkinsella<http://twitter.com/johnlkinsella>
>

Re: OpenSSL vunerability (bleedheart)

Posted by John Kinsella <jl...@stratosec.co>.

Folks - unfortunately there’s an error in my blog post last night. On Debian, you need to update both openssl and libssl, updating openssl by itself is not good enough. I knew this, had it in a draft but somehow that didn’t make it into the post. I’ll blame lack of sleep.

Blog post has been updated, and I’ve also added instructions for VMWare shops, thanks to Geoff Higginbottom.

I can guarantee that current ACS is vulnerable, and I can attest that with our config (KVM) the notes in the blog post [1] will mitigate the vulnerability.

1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed

On Apr 9, 2014, at 5:30 AM, Nux! <nu...@li.nux.ro>> wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version
that is compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso <ca...@debian.org>> Tue, 08 Apr 2014 10:44:53 +0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

-- Salvatore Bonaccorso <ca...@debian.org>> Mon, 07 Apr 2014 22:26:55 +0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro>

Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>

Re: OpenSSL vunerability (bleedheart)

Posted by Nux! <nu...@li.nux.ro>.

On 09.04.2014 12:04, Abhinandan Prateek wrote:
> Latest jenkins build template have openSSL version 1.0.1e, the version
> that is compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major 
versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with 
openssl 1.0.1e, but they will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got 
package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package 
is ok according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

   * Non-maintainer upload by the Security Team.
   * Enable checking for services that may need to be restarted
   * Update list of services to possibly restart

  -- Salvatore Bonaccorso <ca...@debian.org>  Tue, 08 Apr 2014 10:44:53 
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

   * Non-maintainer upload by the Security Team.
   * Add CVE-2014-0160.patch patch.
     CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
     A missing bounds check in the handling of the TLS heartbeat 
extension
     can be used to reveal up to 64k of memory to a connected client or
     server.

  -- Salvatore Bonaccorso <ca...@debian.org>  Mon, 07 Apr 2014 22:26:55 
+0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, 
then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Harikrishna Patnala <ha...@citrix.com>.

Hi,

I have tried upgrading openssl on our system vms(deployed using latest template), the version is still OpenSSL 1.0.1e 

Seems like apt does not have the binary of latest OpenSSL, may be we need to compile the library from latest OpenSSL source(OpenSSL 1.0.1g) and use that build in our systemvm template.

root@v-2-VM:~# apt-get update
...

root@v-2-VM:~# apt-get install openssl
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  openssl
1 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Need to get 700 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://security.debian.org/ wheezy/updates/main openssl amd64 1.0.1e-2+deb7u6 [700 kB]
Fetched 700 kB in 0s (1,559 kB/s)
(Reading database ... 26260 files and directories currently installed.)
Preparing to replace openssl 1.0.1e-2+deb7u4 (using .../openssl_1.0.1e-2+deb7u6_amd64.deb) ...
Unpacking replacement openssl ...
Processing triggers for man-db ...
Setting up openssl (1.0.1e-2+deb7u6) ...

root@v-2-VM:~# openssl version
OpenSSL 1.0.1e 11 Feb 2013

-Harikrishna

On 09-Apr-2014, at 4:34 pm, Abhinandan Prateek <Ab...@citrix.com> wrote:

> Latest jenkins build template have openSSL version 1.0.1e, the version
> that is compromised.
> 
> On 09/04/14 2:30 pm, "Nux!" <nu...@li.nux.ro> wrote:
> 
>> On 09.04.2014 06:55, John Kinsella wrote:
>>> Just put up a blog post with mitigation instructions [1]. If anybody
>>> has any issues with this, please let us know and we¹ll help/update as
>>> appropriate.
>>> 
>>> We¹re working on new SystemVM images, but that¹s going to take us a
>>> few days.
>> 
>> For those who run 4.3 aren't these good enough?
>> http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/
>> 
>> Also, what is the procedure of replacing the System VMs and templates
>> where there's no actual "upgrade" involved?
>> 
>> Lucian
>> 
>> -- 
>> Sent from the Delta quadrant using Borg technology!
>> 
>> Nux!
>> www.nux.ro
>

Re: OpenSSL vunerability (bleedheart)

Posted by Abhinandan Prateek <Ab...@citrix.com>.

Latest jenkins build template have openSSL version 1.0.1e, the version
that is compromised.

On 09/04/14 2:30 pm, "Nux!" <nu...@li.nux.ro> wrote:

>On 09.04.2014 06:55, John Kinsella wrote:
>> Just put up a blog post with mitigation instructions [1]. If anybody
>> has any issues with this, please let us know and we¹ll help/update as
>> appropriate.
>> 
>> We¹re working on new SystemVM images, but that¹s going to take us a
>> few days.
>
>For those who run 4.3 aren't these good enough?
>http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/
>
>Also, what is the procedure of replacing the System VMs and templates
>where there's no actual "upgrade" involved?
>
>Lucian
>
>-- 
>Sent from the Delta quadrant using Borg technology!
>
>Nux!
>www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Nux! <nu...@li.nux.ro>.

On 09.04.2014 06:55, John Kinsella wrote:
> Just put up a blog post with mitigation instructions [1]. If anybody
> has any issues with this, please let us know and we’ll help/update as
> appropriate.
> 
> We’re working on new SystemVM images, but that’s going to take us a 
> few days.

For those who run 4.3 aren't these good enough?
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/

Also, what is the procedure of replacing the System VMs and templates 
where there's no actual "upgrade" involved?

Lucian

-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Chiradeep Vittal <Ch...@citrix.com>.

John, I don’t believe that 4.0.0 – 4.1 are affected since they use Debian Squeeze-based systemvm templates.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883

From: John Kinsella <jl...@stratosec.co>>
Reply-To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
Date: Tuesday, April 8, 2014 at 10:55 PM
To: "dev@cloudstack.apache.org<ma...@cloudstack.apache.org>" <de...@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

Just put up a blog post with mitigation instructions [1]. If anybody has any issues with this, please let us know and we’ll help/update as appropriate.

We’re working on new SystemVM images, but that’s going to take us a few days.

John
1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed

On Apr 8, 2014, at 6:21 PM, John Kinsella <jl...@stratosec.co>> wrote:

Folks - we’re aware of the OpenSSL issue, and are working with vendors to release mitigation instructions for ACS.
Hoping to have something out later this evening.
John
On Apr 8, 2014, at 8:12 AM, Paul Angus <pa...@shapeblue.com>> wrote:
A vulnerability has been found in OpenSSL
http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1
Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such releases as
Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.
It is fixed in OpenSSL 1.0.1g
>From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9
"Statement:
This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e."
XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification version (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected.
Regards,
Paul Angus
Senior Consultant / Cloud Architect
S: +44 20 3603 0540<tel:+442036030540> | M: +4<tel:+447968161581>47711418784 | T: @CloudyAngus
paul.angus@shapeblue.com<ma...@shapeblue.com> | www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<https://twitter.com/>
ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
Need Enterprise Grade Support for Apache CloudStack?
Our CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the best 24/7 SLA for CloudStack Environments.
Apache CloudStack Bootcamp training courses
**NEW!** CloudStack 4.2.1 training<http://shapeblue.com/cloudstack-training/>
28th-29th May 2014, Bangalore. Classromm<http://shapeblue.com/cloudstack-training/>
16th-20th June 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
23rd-27th June 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
15th-20th September 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
22nd-27th September 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
1st-6th December 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
8th-12th December 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: OpenSSL vunerability (bleedheart)

Posted by John Kinsella <jl...@stratosec.co>.

Just put up a blog post with mitigation instructions [1]. If anybody has any issues with this, please let us know and we’ll help/update as appropriate.

We’re working on new SystemVM images, but that’s going to take us a few days.

John
1: https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed

On Apr 8, 2014, at 6:21 PM, John Kinsella <jl...@stratosec.co> wrote:

> Folks - we’re aware of the OpenSSL issue, and are working with vendors to release mitigation instructions for ACS.
> 
> Hoping to have something out later this evening.
> 
> John
> 
> On Apr 8, 2014, at 8:12 AM, Paul Angus <pa...@shapeblue.com>> wrote:
> 
> A vulnerability has been found in OpenSSL
> 
> http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1
> 
> Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such releases as
> Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.
> 
> It is fixed in OpenSSL 1.0.1g
> 
> From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9
> 
> "Statement:
> This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6.4 and earlier. This issue does affect Red Hat Enterprise Linux 6.5, Red Hat Enterprise Virtualization Hypervisor 6.5, and Red Hat Storage 2.1, which provided openssl 1.0.1e."
> 
> XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification version (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected.
> 
> 
> 
> Regards,
> 
> Paul Angus
> Senior Consultant / Cloud Architect
> 
> S: +44 20 3603 0540<tel:+442036030540> | M: +4<tel:+447968161581>47711418784 | T: @CloudyAngus
> paul.angus@shapeblue.com<ma...@shapeblue.com> | www.shapeblue.com<htp://www.shapeblue.com/> | Twitter:@shapeblue<https://twitter.com/>
> ShapeBlue Ltd, 53 Chandos Place, Covent Garden, London, WC2N 4HS
> 
> Need Enterprise Grade Support for Apache CloudStack?
> Our CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/> offers the best 24/7 SLA for CloudStack Environments.
> 
> Apache CloudStack Bootcamp training courses
> 
> **NEW!** CloudStack 4.2.1 training<http://shapeblue.com/cloudstack-training/>
> 28th-29th May 2014, Bangalore. Classromm<http://shapeblue.com/cloudstack-training/>
> 16th-20th June 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 23rd-27th June 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 15th-20th September 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 22nd-27th September 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 1st-6th December 2014, Region A. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 8th-12th December 2014, Region B. Instructor led, On-line<http://shapeblue.com/cloudstack-training/>
> 
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>

Re: OpenSSL vunerability (bleedheart)

Posted by John Kinsella <jl...@stratosec.co>.

Folks - we’re aware of the OpenSSL issue, and are working with vendors to release mitigation instructions for ACS.

Hoping to have something out later this evening.

John

On Apr 8, 2014, at 8:12 AM, Paul Angus <pa...@shapeblue.com>> wrote:

A vulnerability has been found in OpenSSL

http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1

Affected are OpenSSL versions 1.0.1 and 1.0.2-beta, which include such releases as
Debian Wheezy, Ubuntu 12.04.4 LTS, Centos 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2.

It is fixed in OpenSSL 1.0.1g

>From https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9

XenServer 6.2 SP1 uses the native CentOS OpenSSL RPM without modification version (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) so is unaffected.

Regards,

Paul Angus
Senior Consultant / Cloud Architect

Apache CloudStack Bootcamp training courses

Re: OpenSSL vunerability (bleedheart)

Posted by Marcus <sh...@gmail.com>.

Looks like issues.apache.org is ok.


On Tue, Apr 8, 2014 at 12:34 PM, Marcus <sh...@gmail.com> wrote:
> That's a better test.
>
> On Tue, Apr 8, 2014 at 11:54 AM, Nux! <nu...@li.nux.ro> wrote:
>> On 08.04.2014 18:40, Marcus wrote:
>>>
>>> I haven't read up on the actual mechanism, but it basically tricks
>>> the server process into adding 64k of random memory from its process
>>> space into the TLS heartbeat payload. That means any documents shared
>>> over an SSL app, credentials, session keys, and anything else the
>>> process touches.
>>>
>>> Update your mail server as well if it allows TLS connections (do the
>>> command above to see if TLS server extension "heartbeat" is
>>> supported). And openvpn if you run VPN servers.
>>
>>
>> Yeah, good thinking about the VPN.
>>
>> Also found this https://gist.github.com/takeshixx/10107280 for testing and
>> it looks like it could actually retrieve sensitive data. Ugly..
>>
>>
>>
>> --
>> Sent from the Delta quadrant using Borg technology!
>>
>> Nux!
>> www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Marcus <sh...@gmail.com>.

That's a better test.

On Tue, Apr 8, 2014 at 11:54 AM, Nux! <nu...@li.nux.ro> wrote:
> On 08.04.2014 18:40, Marcus wrote:
>>
>> I haven't read up on the actual mechanism, but it basically tricks
>> the server process into adding 64k of random memory from its process
>> space into the TLS heartbeat payload. That means any documents shared
>> over an SSL app, credentials, session keys, and anything else the
>> process touches.
>>
>> Update your mail server as well if it allows TLS connections (do the
>> command above to see if TLS server extension "heartbeat" is
>> supported). And openvpn if you run VPN servers.
>
>
> Yeah, good thinking about the VPN.
>
> Also found this https://gist.github.com/takeshixx/10107280 for testing and
> it looks like it could actually retrieve sensitive data. Ugly..
>
>
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Nux! <nu...@li.nux.ro>.

On 08.04.2014 18:40, Marcus wrote:
> I haven't read up on the actual mechanism, but it basically tricks
> the server process into adding 64k of random memory from its process
> space into the TLS heartbeat payload. That means any documents shared
> over an SSL app, credentials, session keys, and anything else the
> process touches.
> 
> Update your mail server as well if it allows TLS connections (do the
> command above to see if TLS server extension "heartbeat" is
> supported). And openvpn if you run VPN servers.

Yeah, good thinking about the VPN.

Also found this https://gist.github.com/takeshixx/10107280 for testing 
and it looks like it could actually retrieve sensitive data. Ugly..


-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Marcus <sh...@gmail.com>.

 I haven't read up on the actual mechanism, but it basically tricks
the server process into adding 64k of random memory from its process
space into the TLS heartbeat payload. That means any documents shared
over an SSL app, credentials, session keys, and anything else the
process touches.

Update your mail server as well if it allows TLS connections (do the
command above to see if TLS server extension "heartbeat" is
supported). And openvpn if you run VPN servers.

On Tue, Apr 8, 2014 at 11:31 AM, Nux! <nu...@li.nux.ro> wrote:
> On 08.04.2014 18:24, Marcus wrote:
>>
>> For anyone who doesn't know, this is nightmare. People on tech sites
>> are scraping logins from each other and posting comments as other
>> users just to show they can, it's pretty powerful to be able to grab
>> random memory from a process using OpenSSL.
>
>
> How exactly does this happen? Do you know? For now I was just concerned
> someone would get my SSL key for my site and so on.
>
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Nux! <nu...@li.nux.ro>.

On 08.04.2014 18:24, Marcus wrote:
> For anyone who doesn't know, this is nightmare. People on tech sites
> are scraping logins from each other and posting comments as other
> users just to show they can, it's pretty powerful to be able to grab
> random memory from a process using OpenSSL.

How exactly does this happen? Do you know? For now I was just concerned 
someone would get my SSL key for my site and so on.

Lucian

-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Marcus <sh...@gmail.com>.

I'd recommend not logging into issues.apache.org until it is fixed. I
believe Atlassian needs to do something with their shipped package
before that can happen.

 openssl s_client -connect issues.apache.org:443  -tlsextdebug | grep heart
TLS server extension "heartbeat" (id=15), len=1

And further, Atlassian themselves aren't patched

 openssl s_client -connect support.atlassian.com:443  -tlsextdebug | grep heart
TLS server extension "heartbeat" (id=15), len=1

For anyone who doesn't know, this is nightmare. People on tech sites
are scraping logins from each other and posting comments as other
users just to show they can, it's pretty powerful to be able to grab
random memory from a process using OpenSSL.

On Tue, Apr 8, 2014 at 10:07 AM, Nux! <nu...@li.nux.ro> wrote:
> On 08.04.2014 16:12, Paul Angus wrote:
>>
>> A vulnerability has been found in OpenSSL
>>
>> http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1
>
>
> If you want to test a site for it try http://filippo.io/Heartbleed/ (if it's
> not loaded already)
>
> There are already updates available where required, don't forget to restart
> the daemons that depend on SSL (lsof -n | grep ssl) after applying them.
>
> "OpenSSL opens your SSL"
>
> Lucian
>
> --
> Sent from the Delta quadrant using Borg technology!
>
> Nux!
> www.nux.ro

Re: OpenSSL vunerability (bleedheart)

Posted by Nux! <nu...@li.nux.ro>.

On 08.04.2014 16:12, Paul Angus wrote:
> A vulnerability has been found in OpenSSL
> 
> http://www.bit-tech.net/news/bits/2014/04/08/openssl-heartbleed/1

If you want to test a site for it try http://filippo.io/Heartbleed/ (if 
it's not loaded already)

There are already updates available where required, don't forget to 
restart the daemons that depend on SSL (lsof -n | grep ssl) after 
applying them.

"OpenSSL opens your SSL"

Lucian

-- 
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro