[openstack-dev] [OSSG][OSSN] OpenSSL Heartbleed vulnerability can lead to OpenStack compromise
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Heartbleed vulnerability can lead to OpenStack compromise - --- ### Summary ### A vulnerability in OpenSSL can lead to leaking of confidential data protected by SSL/TLS in an OpenStack deployment. ### Affected Services / Software ### Grizzly, Havana, OpenSSL ### Discussion ### A vulnerability in OpenSSL code-named Heartbleed was recently discovered that allows remote attackers limited access to data in the memory of any service using OpenSSL to provide encryption for network communications. This can include key material used for SSL/TLS, which means that any confidential data that has been sent over SSL/TLS may be compromised. For full details, see the following website that describes this vulnerability in detail: http://heartbleed.com/ While OpenStack software itself is not directly affected, any deployment of OpenStack is very likely using OpenSSL to provide SSL/TLS functionality. ### Recommended Actions ### It is recommended that you immediately update OpenSSL software on the systems you use to run OpenStack services. In most cases, you will want to upgrade to OpenSSL version 1.0.1g, though it is recommended that you review the exact affected version details on the Heartbleed website referenced above. After upgrading your OpenSSL software, you will need to restart any services that use the OpenSSL libraries. You can get a list of all processes that have the old version of OpenSSL loaded by running the following command: lsof | grep ssl | grep DEL Any processes shown by the above command will need to be restarted, or you can choose to restart your entire system if desired. In an OpenStack deployment, OpenSSL is commonly used to enable SSL/TLS protection for OpenStack API endpoints, SSL terminators, databases, message brokers, and Libvirt remote access. In addition to the native OpenStack services, some commonly used software that may need to be restarted includes: Apache HTTPD Libvirt MySQL Nginx PostgreSQL Pound Qpid RabbitMQ Stud It is also recommended that you treat your existing SSL/TLS keys as compromised and generate new keys. This includes keys used to enable SSL/TLS protection for OpenStack API endpoints, databases, message brokers, and libvirt remote access. In addition, any confidential data such as credentials that have been sent over a SSL/TLS connection may have been compromised. It is recommended that cloud administrators change any passwords, tokens, or other credentials that may have been communicated over SSL/TLS. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0012 OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg Heartbleed Website: http://heartbleed.com/ CVE: CVE-2014-0160 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTRkbnAAoJEJa+6E7Ri+EVITYH/A5TQlCCAuK0+6ZWxRAC+KYC x0SCGNS9v4eArDAijnt1KmdAvh83hWXsM34my1/S3L8zjmYaE2MBBotcj7Du8znV N+i9JLG6Zr3kOONv5AfnNdeOm/qaVpNugRSRj1SQ/OvIO2VkybAwFLKBZezCfk8D VSoAdnpiHlR9tPqxPlqWHqtNXf3CZjQ486DhuCaVFD0VsRi+YZQk3U6b81+kwpUT 32O7BqeQ/yzJZ6dDIl9qwIb+j6BznDY8lokaW40wzw/ec3E8Rqs89D9gGIgob9/Q ZqparwBLjqFEUVNni7xqUAVlocAKhDxFaWr49AbVR/mYqPkbTLIn6pkLS6eH8VU= =R1bD -END PGP SIGNATURE- ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [OSSG][OSSN] OpenSSL Heartbleed vulnerability can lead to OpenStack compromise
On Thu, 2014-04-10 at 00:23 -0700, Nathan Kinder wrote: OpenSSL Heartbleed vulnerability can lead to OpenStack compromise --- ### Summary ### A vulnerability in OpenSSL can lead to leaking of confidential data protected by SSL/TLS in an OpenStack deployment. ### Affected Services / Software ### Grizzly, Havana, OpenSSL ### Discussion ### A vulnerability in OpenSSL code-named Heartbleed was recently discovered that allows remote attackers limited access to data in the memory of any service using OpenSSL to provide encryption for network communications. This can include key material used for SSL/TLS, which means that any confidential data that has been sent over SSL/TLS may be compromised. For full details, see the following website that describes this vulnerability in detail: http://heartbleed.com/ While OpenStack software itself is not directly affected, any deployment of OpenStack is very likely using OpenSSL to provide SSL/TLS functionality. ### Recommended Actions ### It is recommended that you immediately update OpenSSL software on the systems you use to run OpenStack services. Not sure if you want to mention it in this OSSN or consider doing it too, but clients are vulnerable to attack too. In most cases, you will want to upgrade to OpenSSL version 1.0.1g, though it is recommended that you review the exact affected version details on the Heartbleed website referenced above. After upgrading your OpenSSL software, you will need to restart any services that use the OpenSSL libraries. You can get a list of all processes that have the old version of OpenSSL loaded by running the following command: lsof | grep ssl | grep DEL Any processes shown by the above command will need to be restarted, or you can choose to restart your entire system if desired. In an OpenStack deployment, OpenSSL is commonly used to enable SSL/TLS protection for OpenStack API endpoints, SSL terminators, databases, message brokers, and Libvirt remote access. In addition to the native OpenStack services, some commonly used software that may need to be restarted includes: Apache HTTPD Libvirt MySQL Nginx PostgreSQL Pound Qpid RabbitMQ Stud It is also recommended that you treat your existing SSL/TLS keys as compromised and generate new keys. This includes keys used to enable SSL/TLS protection for OpenStack API endpoints, databases, message brokers, and libvirt remote access. Might be worth mentioning certificate revocation too. In addition, any confidential data such as credentials that have been sent over a SSL/TLS connection may have been compromised. It is recommended that cloud administrators change any passwords, tokens, or other credentials that may have been communicated over SSL/TLS. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0012 OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg Heartbleed Website: http://heartbleed.com/ CVE: CVE-2014-0160 Very nicely done Nathan. Not really relevant to the OSSN, but perhaps people will find it interesting, I posted some thoughts on the wider fallout of heartbleed this morning: http://blogs.gnome.org/markmc/2014/04/10/heartbleed/ Thanks, Mark. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
