Security Vulnerability CVE-2014-0160 (Heartbleed)

Summary

A security vulnerability in OpenSSL library was publicly reported today. It is non-trivial and most probably affects the SSL traffic of your servers.

Your Cloud 66 servers will get the patch automatically but you will need to restart your nginx when you are comfortable with a slight disruption in your webservice traffic. Please read below for more information and details.

Background

Today a security vulnerability was reported publicly by the OpenSSL team.

It was also publicised on HackerNews under a website called Heartbleed

What's the issue?

A security vulnerability is found in the OpenSSL library that allows an attacker read a 64k memory block of the server from the internet. Repeated attacks can potentially reveal more 64k blocks of memory to the attacker.

Who's affected?

Anyone with a publicly available server that is serving SSL traffic. This can include HTTPS and SSH that is not behind a firewall and is open to public internet.

How serious is it?

This issue is non-trivial. Ubuntu Security Team has assigned it a High priority and Redhat has assigned it with an Important severity. However the Heartbleed website information might be confusing and lead the reader to believe the severity of the issue is at highest possible level.

How can I tell if I'm affected?

If you are running OpenSSL 1.0.1 you are affected. Only OpenSSL 1.0.1g has the fix. Other OpenSSL versions are not affected.
You can check the version of your OpenSSL by running the following command:

openssl version -a

On an Ubuntu 12.04 server, if you see a version of 1.0.1 and a build date other than Apr 7 2014, you are affected.

Here is a sample of a patched server:

OpenSSL 1.0.1 14 Mar 2012  
built on: Mon Apr  7 20:33:29 UTC 2014  

How can I fix my server?

You can update your OpenSSL version to 1.0.1g. The Ubuntu Security team has released a new version of the package with the patch. Under normal circumstances, the following should upgrade the package:

sudo apt-get update; sudo apt-get upgrade

However, most cloud vendors use their own repository mirrors that might not be updated. You can force the package manager to use the Ubuntu repository by removing vendor's mirror address from the /etc/apt/sources.list file and running the following:

sudo apt-get clean;sudo apt-get update;sudo apt-get upgrade

Please remember to backup /etc/apt/sources.list and restore it after this.

Please contact your cloud vendor and ask them about the updated version on their mirror repositories.

What about Nginx?

Once you have the correct OpenSSL library, you need to restart your nginx with the following command:

sudo /etc/init.d/nginx restart

Please note that the command above can disrupt your web server temporarily for a short period of time.

What about other SSL using services?

The other important SSL service on your server is sshd. This is however not as critical as your Nginx on your Cloud 66 servers as all Cloud 66 servers are protected by a firewall against public access to port 22. However it is highly recommended to restart your sshd as well with the following command:

/etc/init.d/sshd restart

What about my Cloud 66 servers?

All your Cloud 66 servers run automatic updates and will get the updated version.

Also, your Cloud 66 servers run a version of Nginx that is dynamically linked to the OpenSSL library and therefore will benefit from the upgrade without needing to rebuild nginx.

Once you have the updated version of OpenSSL, you can restart your nginx and sshd as explained above.

If you would like to upgrade your OpenSSL on a predetermined time, you can follow the instructions above.

Note: We strongly recommend reissuing and generationg SSL certificates after you have the patched version of OpenSSL in place and are happy with the updates. Please contact your SSL certificate provider to ensure a smooth transition of your old SSL certificate with the new one.

Help and Support

You can contact us at support@cloud66.com if you have any questions regarding this issue or the fix on your servers.

Khash Sajadi

Khash is the founder and CEO of Cloud 66, a full stack container management as a service. Follow him on @khash

London, UK and San Francisco, US
Subscribe and get updates

Have feedback? Please get in touch @cloud66 on Twitter.

Everything you need to build, manage and maintain containers in production on your own servers and any cloud

Try Cloud 66 — 14 Days Free Trial, No credit card required