cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antonio Packery <Antonio.Pack...@t-systems.co.za>
Subject Re: OpenSSL Flaw
Date Wed, 09 Apr 2014 11:19:22 GMT
Here is the CloudStack press release,
How to Mitigate OpenSSL HeartBleed Vulnerability in Apache CloudStack

Wed Apr 09 2014 07:52:17 GMT+0200 (SAST)

Earlier this week, a security vulnerability was disclosed in OpenSSL, one of the software
libraries that Apache CloudStack uses to encrypt data sent over network network connections.
As the vulnerability has existed in OpenSSL since early 2012, System VMs in Apache CloudStack
versions 4.0.0-incubating-4.3 are running software using vulnerable versions of OpenSSL. This
includes CloudStack's Virtual Router VMs, Console Proxy VMs, and Secondary Storage VMs.

We are actively working on creating updated System VM templates for each recent version of
Apache CloudStack, and for each of the hypervisor platforms which Apache CloudStack supports.
Due to our testing and QA processes, this will take several days. In the meantime, we want
to provide our users with a temporary workaround for currently running System VMs.

If you are running Apache CloudStack 4.0.0-incubating through the recent 4.3 release, the
the following steps will help ensure the security of your cloud infrastructure until an updated
version of the System VM template is available:

 1.  As an administrator in the CloudStack web UI, navigate to Infrastructure->System VMs
 2.  For each System VM listed, note the host it is running on, and it's "Link Local IP address."
 3.  With that data, perform the following steps for each System VM:
    *   ssh into that host as root
    *   From the host, ssh into the SSVM via it's link local IP address: (e.g. ssh -i /root/.ssh/id_rsa.cloud
-p 3922 169.254.3.33)
    *   On the System VM, first run "apt-get update"
    *   Then run apt-get install openssl. If a dialog appears asking to restart programs,
accept it's request.
    *   Next, for Secondary Storage VMs, run /etc/init.d/apache2 restart
    *   Log out of the System VM and host server
 4.  Back in the CloudStack UI, now navigate to Infrastructure->Virtual Routers. For each
VR, host it's running on and it's link local IP address, and then repeat steps a-f above.

We realize that for larger installations where System VMs are being actively created and destroyed
based on customer demand, this is a very rough stop-gap. The Apache CloudStack security team
is actively working on a more permanent fix and will be releasing that to the community as
soon as possible.

For Apache CloudStack installations that secure the web-based user-interface with SSL, these
may also be vulnerable to HeartBleed, but that is outside the scope of this blog post. We
recommend testing your installation with [1] to determine if you need to patch/upgrade the
SSL library used by any web servers (or other SSL-based services) you use.

1: http://filippo.io/Heartbleed/

On 04/09/2014 12:03 PM, Len Bellemore wrote:

Hi Guys,

Does anyone know which version of ACS are affected by the Hearbleed OpenSSL flaw?
- http://heartbleed.com/

Thanks
Len

________________________________
IMPORTANT NOTICE. This electronic message contains information from Control Circle Ltd, which
may be privileged or confidential. The information is intended for use only by the individual(s)
or entity named above. If you are not the intended recipient, be aware that any disclosure,
copying, distribution or use of the contents of this information is strictly prohibited. If
you have received this electronic message in error, please notify me by telephone or email
(to the number or email address above) immediately. Activity and use of the ControlCircle
e-mail system is monitored to secure its effective operation and for other lawful business
purposes. Communications using this system will also be monitored and may be recorded to secure
effective operation and for other lawful business purposes


Disclaimer: This message and/or attachment(s) may contain privileged, confidential and/or
personal information. If you are not the intended recipient you may not disclose or distribute
any of the information contained within this message. In such case you must destroy this message
and inform the sender of the error. T-Systems does not accept liability for any errors, omissions,
information and viruses contained in the transmission of this message. Any opinions, conclusions
and other information contained within this message not related to T-Systems' official business
is deemed to be that of the individual only and is not endorsed by T-Systems.

This message and/or attachment(s) may contain privileged or confidential         
information. If you are not the intended recipient you may not disclose or        
distribute any of the information contained within this message. In such
case you must destroy this message and inform the sender of the error.
T-Systems does not accept liability for any errors, omissions, information
and viruses contained in the transmission of this message. Any opinions, 
conclusions and other information contained within this message not related 
to T-Systems' official business is deemed to be that of the individual only 
and is not endorsed by T-Systems.        
                                                                                  
T-Systems - Business Flexibility

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message