AppCenter - Information About "Heartbleed", OpenSSL Vulnerability

book

Article ID: 159175

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

A vulnerability dubbed “Heartbleed” was found in the popular OpenSSL cryptographic software library.

You can read more general information about the vulnerability at www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now and www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers.

Specific versions of OpenSSL could be exploited by the "Heartbleed" vulnerability:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Resolution

1. App Center SaaS deployments –  No action needed

The hosting provider has updated the load balancing infrastructure that handles SSL communication. Also, as a precautionary measure, certs/keys have been updated. 

 
2. App Center On-Premise deployments – Action needed

App Center deployed on Centos and RHEL 6.4, includes an affected version of OpenSSL library(v1.0.1e). Customers running this specific configuration should apply the patch immediately.

  • To check the version: "openssl version -a"
  • To update openssl: "yum update openssl"
  • You should restart Apache or reboot the server after the update.

Customers should also ensure that other 3rd party network components such as reverse proxies & load balancers ( such as F5) are patched appropriately (if necessary). As a best practice, after updating the library, the cert/keys should be replaced.

Note: New installations of App Center will include the patched OpenSSL library.


Applies To

Symantec AppCenter

RedHat Enterprise Linux

CentOS

OpenSSL