cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: OpenSSL vunerability (bleedheart)
Date Wed, 09 Apr 2014 20:38:07 GMT
CPVM runs a monit daemon which is at least linked to libssl. I haven’t taken more than peek
at that yet - I think SSL is configured off by default but…yeah sorry will have to look
at that closer.

Regarding the trusted IPs - I only attempted to test one SSVM from http://filippo.io/Heartbleed/
and it was a) publicly accessible and b) vulnerable, so trust didn’t really enter into the
equation.

I already adjusted the blog post re: VR and earlier versions of ACS.

John

On Apr 9, 2014, at 12:15 PM, Animesh Chaturvedi <animesh.chaturvedi@citrix.com<mailto:animesh.chaturvedi@citrix.com>>
wrote:

Courtesy Chiradeep


- CPVM uses JSSE so that should not be affected
- VR is not affected since it does not offer any HTTPS/TLS service. The RA VPN and S2S VPN
use the OpenSSL lib only for crypto and not for any transport
- The only vulnerable service is the volume upload service and template copy. The latter is
between 2 trusted IPs
- Also this should only affect SSVM template from 4.2 onwards as only wheezy is affected

Thanks
Animesh
-----Original Message-----
From: John Kinsella [mailto:jlk@stratosec.co]
Sent: Wednesday, April 09, 2014 11:07 AM
To: dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>
Subject: Re: OpenSSL vunerability (bleedheart)

I want to address a few things here directly (I think these are covered in the
blog post, if not ping me)

* Current SSVM from 4.3 is not good enough.
* Yes, each SystemVM runs software that needs OpenSSL. For the curious,
see "lsof|grep -i ssl"
* I'm not sure if the current SystemVM template on Jenkins is secure, we're
testing that currently and will update once confirmed.
* Assume if you see us releasing a blog post about a security issue, there's a
security issue (QED HTH HAND)
* Realhostip uses SSL, but not on the SystemVMs. If you're using realhostIP,
it doesn't matter what version of OSSL you use, you're still insecure. Horse:
beaten.
* Chiradeep's correct, 4.1 and older are not vulnerable. Post updated again.

I think that covers the questions...running around doing a few things but this
is very high on our priority list.

(snarky comments are meant to be funny not insulting/condescending)

On Apr 9, 2014, at 10:19 AM, John Kinsella
<jlk@stratosec.co<mailto:jlk@stratosec.co><mailto:jlk@stratosec.co>> wrote:

To my knowledge, no code change is necessary just a rebuild.  - j

Please excuse typos - sent from mobile device.

----- Reply message -----
From: "Rayees Namathponnan"
<rayees.namathponnan@citrix.com<mailto:rayees.namathponnan@citrix.com><mailto:rayees.namathponnan@citrix.co
m>>
To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>"
<dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>>
Subject: OpenSSL vunerability (bleedheart)
Date: Wed, Apr 9, 2014 10:13 AM

Even if we get latest systemvm template from
http://jenkins.buildacloud.org/view/4.3/job/cloudstack-4.3-systemvm/ . , it
has openssl 1.0.1e-2+deb7u4 ?

Is there any code change required to create system template with openssl
1.0.1e-2+deb7u6  ?

Regards,
Rayees

-----Original Message-----
From: Harikrishna Patnala [mailto:harikrishna.patnala@citrix.com]
Sent: Wednesday, April 09, 2014 5:15 AM
To: <dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org><mailto:dev@cloudstack.apache.org>>
Subject: Re: OpenSSL vunerability (bleedheart)

Latest System VMs have openssl 1.0.1e-2+deb7u4. We need to update
openssl to get 1.0.1e-2+deb7u6.

It will be great if some one can update openssl to 1.0.1e-2+deb7u6 and test
OpenSSL HeartBleed Vulnerability. Right now I could not do it from our
network.

-Harikrishna

On 09-Apr-2014, at 5:00 pm, Nux! <nux@li.nux.ro<mailto:nux@li.nux.ro><mailto:nux@li.nux.ro>>
wrote:

On 09.04.2014 12:04, Abhinandan Prateek wrote:
Latest jenkins build template have openSSL version 1.0.1e, the version that is
compromised.

Guys, do not panic.
It is my understanding that in Debian, just like in RHEL, major versions will
not change, i.e. Debian GNU/Linux 7.0 will EOL with openssl 1.0.1e, but they
will backport stuff.

After I did an "apt-get update && apt-get install openssl" I got package
version 1.0.1e-2+deb7u6 (dpkg -l|grep openssl) and this package is ok
according to the changelog:

"aptitude changelog openssl" says:

openssl (1.0.1e-2+deb7u6) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Enable checking for services that may need to be restarted
* Update list of services to possibly restart

-- Salvatore Bonaccorso <carnil@debian.org<mailto:carnil@debian.org><mailto:carnil@debian.org>>
Tue, 08 Apr 2014 10:44:53
+0200

openssl (1.0.1e-2+deb7u5) wheezy-security; urgency=high

* Non-maintainer upload by the Security Team.
* Add CVE-2014-0160.patch patch.
 CVE-2014-0160: Fix TLS/DTLS hearbeat information disclosure.
 A missing bounds check in the handling of the TLS heartbeat extension
 can be used to reveal up to 64k of memory to a connected client or
 server.

-- Salvatore Bonaccorso <carnil@debian.org<mailto:carnil@debian.org><mailto:carnil@debian.org>>
Mon, 07 Apr 2014 22:26:55
+0200

In conclusion, if System VMs have openssl 1.0.1e-2+deb7u5 or higher, then
they are OK. Can anyone confirm they have 1.0.1e-2+deb7u5+ ?

Lucian

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro<http://www.nux.ro><http://www.nux.ro>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>


Stratosec<http://stratosec.co/> - Compliance as a Service
o: 415.315.9385
@johnlkinsella<http://twitter.com/johnlkinsella>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message