What is the process name of that daemon in CPVM? I remember that we only have SSH and HTTPS port open in console proxy, and the later one is running Java based SSL engine.
Kelven On 4/9/14, 1:38 PM, "John Kinsella" <j...@stratosec.co> wrote: >CPVM runs a monit daemon which is at least linked to libssl. I haven¹t >taken more than peek at that yet - I think SSL is configured off by >default butŠyeah sorry will have to look at that closer. > >Regarding the trusted IPs - I only attempted to test one SSVM from >http://filippo.io/Heartbleed/ and it was a) publicly accessible and b) >vulnerable, so trust didn¹t really enter into the equation. > >I already adjusted the blog post re: VR and earlier versions of ACS. > >John > >On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi ><animesh.chaturv...@citrix.com<mailto:animesh.chaturv...@citrix.com>> >wrote: > >Courtesy Chiradeep > > >- CPVM uses JSSE so that should not be affected >- VR is not affected since it does not offer any HTTPS/TLS service. The >RA VPN and S2S VPN use the OpenSSL lib only for crypto and not for any >transport >- The only vulnerable service is the volume upload service and template >copy. The latter is between 2 trusted IPs >- Also this should only affect SSVM template from 4.2 onwards as only >wheezy is affected > >Thanks >Animesh >-----Original Message----- >From: John Kinsella [mailto:j...@stratosec.co] >Sent: Wednesday, April 09, 2014 11:07 AM >To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org> >Subject: Re: OpenSSL vunerability (bleedheart) > >I want to address a few things here directly (I think these are covered >in the >blog post, if not ping me) > >* Current SSVM from 4.3 is not good enough. >* Yes, each SystemVM runs software that needs OpenSSL. For the curious, >see "lsof|grep -i ssl" >* I'm not sure if the current SystemVM template on Jenkins is secure, >we're >testing that currently and will update once confirmed. >* Assume if you see us releasing a blog post about a security issue, >there's a >security issue (QED HTH HAND) >* Realhostip uses SSL, but not on the SystemVMs. If you're using >realhostIP, >it doesn't matter what version of OSSL you use, you're still insecure. >Horse: >beaten. >* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated >again. > >I think that covers the questions...running around doing a few things but >this >is very high on our priority list. > >(snarky comments are meant to be funny not insulting/condescending) > >On Apr 9, 2014, at 10:19 AM, John Kinsella ><j...@stratosec.co<mailto:j...@stratosec.co><mailto:j...@stratosec.co>> >wrote: > >To my knowledge, no code change is necessary just a rebuild. - j > >Please excuse typos - sent from mobile device. > >----- Reply message ----- >From: "Rayees Namathponnan" ><rayees.namathpon...@citrix.com<mailto:rayees.namathpon...@citrix.com><mai >lto:rayees.namathpon...@citrix.co >m>> >To: >"dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cl >oudstack.apache.org>" ><dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cl >oudstack.apache.org>> >Subject: OpenSSL vunerability (bleedheart) >Date: Wed, Apr 9, 2014 10:13 AM > >Even if we get latest systemvm template from >http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , >it >has openssl 1.0.1e-2+deb7u4 ? > >Is there any code change required to create system template with openssl >1.0.1e-2+deb7u6 ? > >Regards, >Rayees > >-----Original Message----- >From: Harikrishna Patnala [mailto:harikrishna.patn...@citrix.com] >Sent: Wednesday, April 09, 2014 5:15 AM >To: ><dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cl >oudstack.apache.org>> >Subject: Re: OpenSSL vunerability (bleedheart) > >Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update >openssl to get 1.0.1e-2+deb7u6. > >It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and >test >OpenSSL HeartBleed Vulnerability. Right now I could not do it from our >network. > >-Harikrishna > >On 09-Apr-2014, at 5:00 pm, Nux! ><n...@li.nux.ro<mailto:n...@li.nux.ro><mailto:n...@li.nux.ro>> >wrote: > >On 09.04.2014 12:04, Abhinandan Prateek wrote: >Latest jenkins build template have openSSL version 1.0.1e, the version >that is >compromised. > >Guys, do not panic. >It is my understanding that in Debian, just like in RHEL, major versions >will >not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but >they >will backport stuff. > >After I did an "apt-get update && apt-get install openssl" I got package >version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok >according to the changelog: > >"aptitude changelog openssl" says: > >openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high > >* Non-maintainer upload by the Security Team. >* Enable checking for services that may need to be restarted >* Update list of services to possibly restart > >-- Salvatore Bonaccorso ><car...@debian.org<mailto:car...@debian.org><mailto:car...@debian.org>> >Tue, 08 Apr 2014 10:44:53 >+0200 > >openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high > >* Non-maintainer upload by the Security Team. >* Add CVE-2014-0160.patch patch. > CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure. > A missing bounds check in the handling of the TLS heartbeat extension > can be used to reveal up to 64k of memory to a connected client or > server. > >-- Salvatore Bonaccorso ><car...@debian.org<mailto:car...@debian.org><mailto:car...@debian.org>> >Mon, 07 Apr 2014 22:26:55 >+0200 > >In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then >they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ? > >Lucian > >-- >Sent from the Delta quadrant using Borg technology! > >Nux! >www.nux.ro<http://www.nux.ro><http://www.nux.ro> > > >Stratosec<http://stratosec.co/> - Compliance as a Service >o: 415.315.9385 >@johnlkinsella<http://twitter.com/johnlkinsella> > > >Stratosec<http://stratosec.co/> - Compliance as a Service >o: 415.315.9385 >@johnlkinsella<http://twitter.com/johnlkinsella> >
