Yeah, SSVM is definitely vulnerable since it now provides a volume download service.
From: John Kinsella <j...@stratosec.co<mailto:j...@stratosec.co>> Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Date: Wednesday, April 9, 2014 at 1:38 PM To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>> Subject: Re: OpenSSL vunerability (bleedheart) CPVM runs a monit daemon which is at least linked to libssl. I haven’t taken more than peek at that yet - I think SSL is configured off by default but…yeah sorry will have to look at that closer. Regarding the trusted IPs - I only attempted to test one SSVM from http://filippo.io/Heartbleed/ and it was a) publicly accessible and b) vulnerable, so trust didn’t really enter into the equation. I already adjusted the blog post re: VR and earlier versions of ACS. John On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi <animesh.chaturv...@citrix.com<mailto:animesh.chaturv...@citrix.com><mailto:animesh.chaturv...@citrix.com>> wrote: Courtesy Chiradeep - CPVM uses JSSE so that should not be affected - VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any transport - The only vulnerable service is the volume upload service and template copy. The latter is between 2 trusted IPs - Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected Thanks Animesh -----Original Message----- From: John Kinsella [mailto:j...@stratosec.co] Sent: Wednesday, April 09, 2014 11:07 AM To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org> Subject: Re: OpenSSL vunerability (bleedheart) I want to address a few things here directly (I think these are covered in the blog post, if not ping me) * Current SSVM from 4.3 is not good enough. * Yes, each SystemVM runs software that needs OpenSSL. For the curious, see "lsof|grep -i ssl" * I'm not sure if the current SystemVM template on Jenkins is secure, we're testing that currently and will update once confirmed. * Assume if you see us releasing a blog post about a security issue, there's a security issue (QED HTH HAND) * Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP, it doesn't matter what version of OSSL you use, you're still insecure. Horse: beaten. * Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again. I think that covers the questions...running around doing a few things but this is very high on our priority list. (snarky comments are meant to be funny not insulting/condescending) On Apr 9, 2014, at 10:19 AM, John Kinsella <j...@stratosec.co<mailto:j...@stratosec.co><mailto:j...@stratosec.co><mailto:j...@stratosec.co>> wrote: To my knowledge, no code change is necessary just a rebuild. - j Please excuse typos - sent from mobile device. ----- Reply message ----- From: "Rayees Namathponnan" <rayees.namathpon...@citrix.com<mailto:rayees.namathpon...@citrix.com><mailto:rayees.namathpon...@citrix.com><mailto:rayees.namathpon...@citrix.co m>> To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>" <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>> Subject: OpenSSL vunerability (bleedheart) Date: Wed, Apr 9, 2014 10:13 AM Even if we get latest systemvm template from http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it has openssl 1.0.1e-2+deb7u4 ? Is there any code change required to create system template with openssl 1.0.1e-2+deb7u6 ? Regards, Rayees -----Original Message----- From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com] Sent: Wednesday, April 09, 2014 5:15 AM To: <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>> Subject: Re: OpenSSL vunerability (bleedheart) Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update openssl to get 1.0.1e-2+deb7u6. It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test OpenSSL HeartBleed Vulnerability. Right now I could not do it from our network. -Harikrishna On 09-Apr-2014, at 5:00 pm, Nux! <n...@li.nux.ro<mailto:n...@li.nux.ro><mailto:n...@li.nux.ro><mailto:n...@li.nux.ro>> wrote: On 09.04.2014 12:04, Abhinandan Prateek wrote: Latest jenkins build template have openSSL version 1.0.1e, the version that is compromised. Guys, do not panic. It is my understanding that in Debian, just like in RHEL, major versions will not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they will backport stuff. After I did an "apt-get update && apt-get install openssl" I got package version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok according to the changelog: "aptitude changelog openssl" says: openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Enable checking for services that may need to be restarted * Update list of services to possibly restart -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org><mailto:car...@debian.org><mailto:car...@debian.org>> Tue, 08 Apr 2014 10:44:53 +0200 openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high * Non-maintainer upload by the Security Team. * Add CVE-2014-0160.patch patch. CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. -- Salvatore Bonaccorso <car...@debian.org<mailto:car...@debian.org><mailto:car...@debian.org><mailto:car...@debian.org>> Mon, 07 Apr 2014 22:26:55 +0200 In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro<http://www.nux.ro><http://www.nux.ro> Stratosec<http://stratosec.co/> - Compliance as a Service o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella> Stratosec<http://stratosec.co/> - Compliance as a Service o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella>
