Courtesy Chiradeep
- CPVM uses JSSE so that should not be affected - VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any transport - The only vulnerable service is the volume upload service and template copy. The latter is between 2 trusted IPs - Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected Thanks Animesh > -----Original Message----- > From: John Kinsella [mailto:j...@stratosec.co] > Sent: Wednesday, April 09, 2014 11:07 AM > To: dev@cloudstack.apache.org > Subject: Re: OpenSSL vunerability (bleedheart) > > I want to address a few things here directly (I think these are covered in the > blog post, if not ping me) > > * Current SSVM from 4.3 is not good enough. > * Yes, each SystemVM runs software that needs OpenSSL. For the curious, > see "lsof|grep -i ssl" > * I'm not sure if the current SystemVM template on Jenkins is secure, we're > testing that currently and will update once confirmed. > * Assume if you see us releasing a blog post about a security issue, there's a > security issue (QED HTH HAND) > * Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP, > it doesn't matter what version of OSSL you use, you're still insecure. Horse: > beaten. > * Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again. > > I think that covers the questions...running around doing a few things but this > is very high on our priority list. > > (snarky comments are meant to be funny not insulting/condescending) > > On Apr 9, 2014, at 10:19 AM, John Kinsella > <j...@stratosec.co<mailto:j...@stratosec.co>> wrote: > > To my knowledge, no code change is necessary just a rebuild. - j > > Please excuse typos - sent from mobile device. > > ----- Reply message ----- > From: "Rayees Namathponnan" > <rayees.namathpon...@citrix.com<mailto:rayees.namathpon...@citrix.co > m>> > To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" > <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> > Subject: OpenSSL vunerability (bleedheart) > Date: Wed, Apr 9, 2014 10:13 AM > > Even if we get latest systemvm template from > http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it > has openssl 1.0.1e-2+deb7u4 ? > > Is there any code change required to create system template with openssl > 1.0.1e-2+deb7u6 ? > > Regards, > Rayees > > -----Original Message----- > From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com] > Sent: Wednesday, April 09, 2014 5:15 AM > To: <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> > Subject: Re: OpenSSL vunerability (bleedheart) > > Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update > openssl to get 1.0.1e-2+deb7u6. > > It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test > OpenSSL HeartBleed Vulnerability. Right now I could not do it from our > network. > > -Harikrishna > > On 09-Apr-2014, at 5:00 pm, Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro>> > wrote: > > On 09.04.2014 12:04, Abhinandan Prateek wrote: > Latest jenkins build template have openSSL version 1.0.1e, the version that is > compromised. > > Guys, do not panic. > It is my understanding that in Debian, just like in RHEL, major versions will > not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they > will backport stuff. > > After I did an "apt-get update && apt-get install openssl" I got package > version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok > according to the changelog: > > "aptitude changelog openssl" says: > > openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Enable checking for services that may need to be restarted > * Update list of services to possibly restart > > -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> > Tue, 08 Apr 2014 10:44:53 > +0200 > > openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high > > * Non-maintainer upload by the Security Team. > * Add CVE-2014-0160.patch patch. > CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. > A missing bounds check in the handling of the TLS heartbeat extension > can be used to reveal up to 64k of memory to a connected client or > server. > > -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org>> > Mon, 07 Apr 2014 22:26:55 > +0200 > > In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then > they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? > > Lucian > > -- > Sent from the Delta quadrant using Borg technology! > > Nux! > www.nux.ro<http://www.nux.ro> > > > Stratosec<http://stratosec.co/> - Compliance as a Service > o: 415.315.9385 > @johnlkinsella<http://twitter.com/johnlkinsella>
