Sorry folks that I didn’t send it to this list. To be accurate, it’s a blog post not a press release. We’ll have a formal solution in a few more days.
https://blogs.apache.org/cloudstack/entry/how_to_mitigate_openssl_heartbleed On Apr 9, 2014, at 5:19 AM, Antonio Packery <[email protected]<mailto:[email protected]>> wrote: Here is the CloudStack press release, How to Mitigate OpenSSL HeartBleed Vulnerability in Apache CloudStack Wed Apr 09 2014 07:52:17 GMT+0200 (SAST) Earlier this week, a security vulnerability was disclosed in OpenSSL, one of the software libraries that Apache CloudStack uses to encrypt data sent over network network connections. As the vulnerability has existed in OpenSSL since early 2012, System VMs in Apache CloudStack versions 4.0.0-incubating-4.3 are running software using vulnerable versions of OpenSSL. This includes CloudStack's Virtual Router VMs, Console Proxy VMs, and Secondary Storage VMs. We are actively working on creating updated System VM templates for each recent version of Apache CloudStack, and for each of the hypervisor platforms which Apache CloudStack supports. Due to our testing and QA processes, this will take several days. In the meantime, we want to provide our users with a temporary workaround for currently running System VMs. If you are running Apache CloudStack 4.0.0-incubating through the recent 4.3 release, the the following steps will help ensure the security of your cloud infrastructure until an updated version of the System VM template is available: 1. As an administrator in the CloudStack web UI, navigate to Infrastructure->System VMs 2. For each System VM listed, note the host it is running on, and it's "Link Local IP address." 3. With that data, perform the following steps for each System VM: * ssh into that host as root * From the host, ssh into the SSVM via it's link local IP address: (e.g. ssh -i /root/.ssh/id_rsa.cloud -p 3922 169.254.3.33) * On the System VM, first run "apt-get update" * Then run apt-get install openssl. If a dialog appears asking to restart programs, accept it's request. * Next, for Secondary Storage VMs, run /etc/init.d/apache2 restart * Log out of the System VM and host server 4. Back in the CloudStack UI, now navigate to Infrastructure->Virtual Routers. For each VR, host it's running on and it's link local IP address, and then repeat steps a-f above. We realize that for larger installations where System VMs are being actively created and destroyed based on customer demand, this is a very rough stop-gap. The Apache CloudStack security team is actively working on a more permanent fix and will be releasing that to the community as soon as possible. For Apache CloudStack installations that secure the web-based user-interface with SSL, these may also be vulnerable to HeartBleed, but that is outside the scope of this blog post. We recommend testing your installation with [1] to determine if you need to patch/upgrade the SSL library used by any web servers (or other SSL-based services) you use. 1: http://filippo.io/Heartbleed/ On 04/09/2014 12:03 PM, Len Bellemore wrote: Hi Guys, Does anyone know which version of ACS are affected by the Hearbleed OpenSSL flaw? - http://heartbleed.com/ Thanks Len ________________________________ IMPORTANT NOTICE. This electronic message contains information from Control Circle Ltd, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately. Activity and use of the ControlCircle e-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes Disclaimer: This message and/or attachment(s) may contain privileged, confidential and/or personal information. If you are not the intended recipient you may not disclose or distribute any of the information contained within this message. In such case you must destroy this message and inform the sender of the error. T-Systems does not accept liability for any errors, omissions, information and viruses contained in the transmission of this message. Any opinions, conclusions and other information contained within this message not related to T-Systems' official business is deemed to be that of the individual only and is not endorsed by T-Systems. This message and/or attachment(s) may contain privileged or confidential information. If you are not the intended recipient you may not disclose or distribute any of the information contained within this message. In such case you must destroy this message and inform the sender of the error. T-Systems does not accept liability for any errors, omissions, information and viruses contained in the transmission of this message. Any opinions, conclusions and other information contained within this message not related to T-Systems' official business is deemed to be that of the individual only and is not endorsed by T-Systems. T-Systems - Business Flexibility Stratosec<http://stratosec.co/> - Compliance as a Service o: 415.315.9385 @johnlkinsella<http://twitter.com/johnlkinsella>
