Here is the CloudStack press release,
How to Mitigate OpenSSL HeartBleed Vulnerability in Apache CloudStack
Wed Apr 09 2014 07:52:17 GMT+0200 (SAST)
Earlier this week, a security vulnerability was disclosed in OpenSSL, one of
the software libraries that Apache CloudStack uses to encrypt data sent over
network network connections. As the vulnerability has existed in OpenSSL since
early 2012, System VMs in Apache CloudStack versions 4.0.0-incubating-4.3 are
running software using vulnerable versions of OpenSSL. This includes
CloudStack's Virtual Router VMs, Console Proxy VMs, and Secondary Storage VMs.
We are actively working on creating updated System VM templates for each recent
version of Apache CloudStack, and for each of the hypervisor platforms which
Apache CloudStack supports. Due to our testing and QA processes, this will take
several days. In the meantime, we want to provide our users with a temporary
workaround for currently running System VMs.
If you are running Apache CloudStack 4.0.0-incubating through the recent 4.3
release, the the following steps will help ensure the security of your cloud
infrastructure until an updated version of the System VM template is available:
1. As an administrator in the CloudStack web UI, navigate to
Infrastructure->System VMs
2. For each System VM listed, note the host it is running on, and it's "Link
Local IP address."
3. With that data, perform the following steps for each System VM:
* ssh into that host as root
* From the host, ssh into the SSVM via it's link local IP address: (e.g.
ssh -i /root/.ssh/id_rsa.cloud -p 3922 169.254.3.33)
* On the System VM, first run "apt-get update"
* Then run apt-get install openssl. If a dialog appears asking to restart
programs, accept it's request.
* Next, for Secondary Storage VMs, run /etc/init.d/apache2 restart
* Log out of the System VM and host server
4. Back in the CloudStack UI, now navigate to Infrastructure->Virtual
Routers. For each VR, host it's running on and it's link local IP address, and
then repeat steps a-f above.
We realize that for larger installations where System VMs are being actively
created and destroyed based on customer demand, this is a very rough stop-gap.
The Apache CloudStack security team is actively working on a more permanent fix
and will be releasing that to the community as soon as possible.
For Apache CloudStack installations that secure the web-based user-interface
with SSL, these may also be vulnerable to HeartBleed, but that is outside the
scope of this blog post. We recommend testing your installation with [1] to
determine if you need to patch/upgrade the SSL library used by any web servers
(or other SSL-based services) you use.
1: http://filippo.io/Heartbleed/
On 04/09/2014 12:03 PM, Len Bellemore wrote:
Hi Guys,
Does anyone know which version of ACS are affected by the Hearbleed OpenSSL
flaw?
- http://heartbleed.com/
Thanks
Len
________________________________
IMPORTANT NOTICE. This electronic message contains information from Control
Circle Ltd, which may be privileged or confidential. The information is
intended for use only by the individual(s) or entity named above. If you are
not the intended recipient, be aware that any disclosure, copying, distribution
or use of the contents of this information is strictly prohibited. If you have
received this electronic message in error, please notify me by telephone or
email (to the number or email address above) immediately. Activity and use of
the ControlCircle e-mail system is monitored to secure its effective operation
and for other lawful business purposes. Communications using this system will
also be monitored and may be recorded to secure effective operation and for
other lawful business purposes
Disclaimer: This message and/or attachment(s) may contain privileged,
confidential and/or personal information. If you are not the intended recipient
you may not disclose or distribute any of the information contained within this
message. In such case you must destroy this message and inform the sender of
the error. T-Systems does not accept liability for any errors, omissions,
information and viruses contained in the transmission of this message. Any
opinions, conclusions and other information contained within this message not
related to T-Systems' official business is deemed to be that of the individual
only and is not endorsed by T-Systems.
This message and/or attachment(s) may contain privileged or confidential
information. If you are not the intended recipient you may not disclose or
distribute any of the information contained within this message. In such
case you must destroy this message and inform the sender of the error.
T-Systems does not accept liability for any errors, omissions, information
and viruses contained in the transmission of this message. Any opinions,
conclusions and other information contained within this message not related
to T-Systems' official business is deemed to be that of the individual only
and is not endorsed by T-Systems.
T-Systems - Business Flexibility
