Engine Yard Developer Center

April 7, 2014 - OpenSSL security vulnerability

Recently CVE-2014-0160 was discovered and is a vulnerability that affect the 1.0.1 and 1.0.2 branches of OpenSSL

https://www.openssl.org/news/secadv_20140407.txt

Our stacks use stable versions on 0.9.8y and 1.0.0j which are not included in this issue.

We do offer Amazon Elastic Load Balancer support and it runs 1.0.1 and is reported to be affected by this https://forums.aws.amazon.com/thread.jspa?threadID=149690 and are waiting for an update from Amazon.

The Heartbleed website describes this vulnerability as able to obtain the private keys meaning if you are using SSL certificate on ELB, you will need to contact your SSL provider to revoke and reissue the certificates and may need to reprovision the ELB. We are still waiting for information on if you can upload replacement certificates or if you will need to delete the ELB and create a new one and update the CNAME and other DNS records.

What to do:
If you are on our EY on Terramark offering or EY on AWS and do not use ELB you have nothing to do.
If you are using ELB, you should prepare to revoke and reissue your SSL certificate and possibly update your DNS.
If your are on our New UI (Ubunutu stack) you should prepare to revoke and reissue your SSL certificate used on those environments and run "sudo apt-get install openssl" on each of your instances.

Resources:
https://www.openssl.org/news/secadv_20140407.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://heartbleed.com
https://support.cloud.engineyard.com/entries/21009842-Engine-Yard-Gentoo-2009-Technology-Stack
https://support.cloud.engineyard.com/entries/23022773-Engine-Yard-Gentoo-12-11-Technology-Stack
https://support.cloud.engineyard.com/entries/39367473-Engine-Yard-Ubuntu-12-04-Technology-Stack
https://lists.ubuntu.com/archives/ubuntu-security-announce/2014-April/002460.html

 

Update April 8th, 2014

 

Many questions have come in about the OpenSSL vulnerability. The Engine Yard stacks on Gentoo are not currently running a version of OpenSSL greater than 1.0.0, which removes it from the scope of this vulnerability. The current issue facing our customers with this vulnerability presents itself with the use of AWS ELB’s and our Ubuntu offerings, which do run a version of OpenSSL that is vulnerable in CVE-2014-0160.

Today, AWS announced that they have updated their ELB offerings to address the vulnerability:https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/ Contrary to the statement in the link, all ELBs in use by Engine Yard, and in the Engine Yard pool of resources, have been updated in all regions, including US East.

At this time, if you have been using an ELB in your environment, it is recommended that you rotate your SSL certificates. If running on our Ubuntu, Engine Yard Support can verify that your environment is secure.

You can verify if your application is vulnerable by using a validation tool. An example of one of these tools is http://filippo.io/Heartbleed/.

If you have any additional questions, concerns, or need any assistance from Engine Yard Support, please open a support ticket and we will be happy to assist.

Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Gavin Todes

    Any word yet on whether we can just upload replacement certificates to our ELBs or if we should add new ELBs with the new certificates?

  • Avatar
    Kevin French

    Many questions have come in about the OpenSSL vulnerability. The Engine Yard stacks on Gentoo are not currently running a version of OpenSSL greater than 1.0.0, which removes it from the scope of this vulnerability. The current issue facing our customers with this vulnerability presents itself with the use of AWS ELB’s and our Ubuntu offerings, which do run a version of OpenSSL that is vulnerable in CVE-2014-0160.

    Today, AWS announced that they have updated their ELB offerings to address the vulnerability: https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/ Contrary to the statement in the link, all ELBs in use by Engine Yard, and in the Engine Yard pool of resources, have been updated in all regions, including US East.

    At this time, if you have been using an ELB in your environment, it is recommended that you rotate your SSL certificates. If running on our Ubuntu, Engine Yard Support can verify that your environment is secure.

    If you have any additional questions, concerns, or need any assistance from Engine Yard Support, please open a support ticket and we will be happy to assist.

  • Avatar
    Dean Tribble

    One clarification: it is possible "rotate your SSL certificates" without changing your private key. The important thing here is to change your private key, since it may have been disclosed prior to the patch. Thus, rotate to a new certificate made with a *new* key.

Please sign in to leave a comment.

Powered by Zendesk