cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <>
Subject Re: OpenSSL vunerability (bleedheart)
Date Wed, 09 Apr 2014 20:38:07 GMT
CPVM runs a monit daemon which is at least linked to libssl. I haven’t taken more than peek
at that yet - I think SSL is configured off by default but…yeah sorry will have to look
at that closer.

Regarding the trusted IPs - I only attempted to test one SSVM from
and it was a) publicly accessible and b) vulnerable, so trust didn’t really enter into the

I already adjusted the blog post re: VR and earlier versions of ACS.


On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi <<>>

Courtesy Chiradeep

- CPVM uses JSSE so that should not be affected
- VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN
use the OpenSSL lib only for crypto and not for any transport
- The only vulnerable service is the volume upload service and template copy. The latter is
between 2 trusted IPs
- Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected

-----Original Message-----
From: John Kinsella []
Sent: Wednesday, April 09, 2014 11:07 AM
Subject: Re: OpenSSL vunerability (bleedheart)

I want to address a few things here directly (I think these are covered in the
blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
see "lsof|grep -i ssl"
* I'm not sure if the current SystemVM template on Jenkins is secure, we're
testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue, there's a
security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP,
it doesn't matter what version of OSSL you use, you're still insecure. Horse:
* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again.

I think that covers the questions...running around doing a few things but this
is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella
<<><>> wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan"
To: "<><>"
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from . , it
has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl
1.0.1e-2+deb7u6  ?


-----Original Message-----
From: Harikrishna Patnala []
Sent: Wednesday, April 09, 2014 5:15 AM
To: <<><>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our


On 09-Apr-2014, at 5:00 pm, Nux! <<><>>

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version that is

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will
not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they
will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package
version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso <<><>>
Tue, 08 Apr 2014 10:44:53

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
 CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
 A missing bounds check in the handling of the TLS heartbeat extension
 can be used to reveal up to 64k of memory to a connected client or

-- Salvatore Bonaccorso <<><>>
Mon, 07 Apr 2014 22:26:55

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then
they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?


Sent from the Delta quadrant using Borg technology!


Stratosec<> - Compliance as a Service
o: 415.315.9385

Stratosec<> - Compliance as a Service
o: 415.315.9385

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message