On Thu, 2014-04-10 at 00:23 -0700, Nathan Kinder wrote: > OpenSSL Heartbleed vulnerability can lead to OpenStack compromise > --- > > ### Summary ### > A vulnerability in OpenSSL can lead to leaking of confidential data > protected by SSL/TLS in an OpenStack deployment. > > ### Affected Services / Software ### > Grizzly, Havana, OpenSSL > > ### Discussion ### > A vulnerability in OpenSSL code-named Heartbleed was recently discovered > that allows remote attackers limited access to data in the memory of any > service using OpenSSL to provide encryption for network communications. > This can include key material used for SSL/TLS, which means that any > confidential data that has been sent over SSL/TLS may be compromised. > For full details, see the following website that describes this > vulnerability in detail: > > http://heartbleed.com/ > > While OpenStack software itself is not directly affected, any deployment > of OpenStack is very likely using OpenSSL to provide SSL/TLS > functionality. > > ### Recommended Actions ### > It is recommended that you immediately update OpenSSL software on the > systems you use to run OpenStack services.
Not sure if you want to mention it in this OSSN or consider doing it too, but clients are vulnerable to attack too. > In most cases, you will want > to upgrade to OpenSSL version 1.0.1g, though it is recommended that you > review the exact affected version details on the Heartbleed website > referenced above. > > After upgrading your OpenSSL software, you will need to restart any > services that use the OpenSSL libraries. You can get a list of all > processes that have the old version of OpenSSL loaded by running the > following command: > > lsof | grep ssl | grep DEL > > Any processes shown by the above command will need to be restarted, or > you can choose to restart your entire system if desired. In an > OpenStack deployment, OpenSSL is commonly used to enable SSL/TLS > protection for OpenStack API endpoints, SSL terminators, databases, > message brokers, and Libvirt remote access. In addition to the native > OpenStack services, some commonly used software that may need to be > restarted includes: > > Apache HTTPD > Libvirt > MySQL > Nginx > PostgreSQL > Pound > Qpid > RabbitMQ > Stud > > It is also recommended that you treat your existing SSL/TLS keys as > compromised and generate new keys. This includes keys used to enable > SSL/TLS protection for OpenStack API endpoints, databases, message > brokers, and libvirt remote access. Might be worth mentioning certificate revocation too. > In addition, any confidential data such as credentials that have been > sent over a SSL/TLS connection may have been compromised. It is > recommended that cloud administrators change any passwords, tokens, or > other credentials that may have been communicated over SSL/TLS. > > ### Contacts / References ### > This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0012 > OpenStack Security ML : openstack-secur...@lists.openstack.org > OpenStack Security Group : https://launchpad.net/~openstack-ossg > Heartbleed Website: http://heartbleed.com/ > CVE: CVE-2014-0160 Very nicely done Nathan. Not really relevant to the OSSN, but perhaps people will find it interesting, I posted some thoughts on the wider fallout of heartbleed this morning: http://blogs.gnome.org/markmc/2014/04/10/heartbleed/ Thanks, Mark. _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev