Our response to the OpenSSL 'heartbleed' vulnerability


#1

Here’s how we’re responding to the OpenSSL vulnerability announced at http://heartbleed.com/

This is a very serious security vulnerability in software that is deployed on almost every up-to-date Linux server, including those at Bytemark. It allows a knowledgeable attacker to steal SSL keys, or other sensitive data from your server, and should not go unpatched. Unfortunately it is not clear at the moment that there is any way to know whether this has already happened, since the vulnerability has been around for 2 years.

Most of Bytemark’s servers are configured to automatically install new security updates, and to restart affected services. This will cause a brief outage over most of your internet-facing services, for a few seconds, and as with any restart, a risk that the restart won’t work. We’re here if this happens to you.

Users of Symbiosis and most managed customers will be upgraded automatically over the next 24 hours.

Some managed customers have requested manual security updates, and will be upgraded manually.

Everyone else is advised to read the security advisory and take action - our support team will be on hand to help diagnose and reassure you if you phone or email us.

You may want to contact your SSL certificate vendor and request a new certificate to completely cover yourself. If you need a new certificate Bytemark can supply and install them for £69, but many vendors may reissue yours for free. We are waiting for reaction from certificate vendors before advising here.

Thanks for your patience - we are expecting a little higher load on support over the next couple of days but will get back to you as quickly as possible on this important internet-wide problem.


#2

There was a slight typo in one of the links to the advisory above - you can find it here: http://heartbleed.com


#3

Thank you for the advisory.

I assume generating fresh keys with a vulnerable version of OpenSSL is not helpful?

So the action recommended for Symbiosis users is to do so using an older version or wait until after Symbiosis is updated to OpenSSL to vers 1.01g. At this time my wheezy service is on OpenSSL 1.0.1e 11 Feb 2013 which is is not secure.

My older bytemark shared volumes are using OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 which appears to be OK according the info I’ve seen so far and so no further action is needed.

C


#4

Symbiosis uses the ordinary Debian security updates, and so you can just run apt-get update followed by apt-get upgrade to upgrade everything. That should restart (at least) the following services

  • Apache
  • Dovecot
  • Exim4

as well as others. Please make sure those services have been restarted. Additionally you may want to regenerate any SSL keys on your server, and request corresponding new SSL certificates where necessary.

Best wishes,

Patrick


#5

As of this morning - apt-get update/upgrade take openssl to OpenSSL 1.0.1e 11 Feb 2013 not to ‘g’ .

Presumably this means either waiting for an official update for wheezy or recompiling locally https://www.openssl.org/news/secadv_20140407.txt


#6

It should be a patched version of 1.0.1e, if the installed package is 1.0.1e-2+deb7u5 then it’s not vulnerable.

http://www.debian.org/security/2014/dsa-2896

You need to make sure you have the security repo in your apt sources.

deb http://security.debian.org/ wheezy/updates main contrib non-free

#7

the update gave me 1.0.1e-2+deb7u6

apt-cache policy openssl
openssl:
Installed: 1.0.1e-2+deb7u6
Candidate: 1.0.1e-2+deb7u6
Version table:
*** 1.0.1e-2+deb7u6 0
500 http://security.debian.org/ wheezy/updates/main amd64 Packages
100 /var/lib/dpkg/status
1.0.1e-2+deb7u4 0
500 http://mirror.bytemark.co.uk/debian/ wheezy/main amd64 Packages


#8

Then it should be fine, I mean to say u5 and up.

If I recall correctly u6 tries to advise you on which services you need to restart for the patch to take affect, I have found it doesn’t catch all services and tends to miss Apache.


#9

I am writing a follow-up post at the moment on how to handle your data after patching heartbleed. Just waiting for a bit of feedback from the rest of the team.


#10

Here it is: