Friday, 11 April 2014
Patching Your OpenShift Origin Against Heartbleed vulnerability
Recently the heartbleed bug was exposed which existed in all the services that used OpenSSL 1.0.1 through 1.0.1f (inclusive) for years already. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet by reading the memory of the system without need of any kind of access.
I've been administering OpenShift applications recently and this post outlines the measures I took to secure the OpenShift applications from this critical vulnerability.
In order to check if you are vulnerable or not, you can either check OpenSSL version:
Alternatively, you can use one of the online tools or the offline python tool to check if you are vulnerable or not.
Note that in case of OpenShift origin, you will have to update the OpenSSL package in brokers and nodes such that all the OpenShift apps are secure.
Once completed, verify the installation of patched version:
We'll have to restart the proxy systems (node-proxy) for the nodes for the effect of the patch. In fact, we will have to restart all the services that use the vulnerable OpenSSL versions.
I hope this helps :)
Read more...
I've been administering OpenShift applications recently and this post outlines the measures I took to secure the OpenShift applications from this critical vulnerability.
In order to check if you are vulnerable or not, you can either check OpenSSL version:
# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Wed Jan 8 07:20:55 UTC 2014
platform: linux-x86_64
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Wed Jan 8 07:20:55 UTC 2014
platform: linux-x86_64
Alternatively, you can use one of the online tools or the offline python tool to check if you are vulnerable or not.
Note that in case of OpenShift origin, you will have to update the OpenSSL package in brokers and nodes such that all the OpenShift apps are secure.
# yum install -y openssl
Once completed, verify the installation of patched version:
# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 00:29:11 UTC 2014
platform: linux-x86_64
# rpm -q --changelog openssl | grep CVE-2014-0160
- pull in upstream patch for CVE-2014-0160
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Apr 8 00:29:11 UTC 2014
platform: linux-x86_64
# rpm -q --changelog openssl | grep CVE-2014-0160
- pull in upstream patch for CVE-2014-0160
We'll have to restart the proxy systems (node-proxy) for the nodes for the effect of the patch. In fact, we will have to restart all the services that use the vulnerable OpenSSL versions.
# systemctl restart openshift-node-web-proxy.service
# /bin/systemctl reload httpd.service
# /bin/systemctl reload httpd.service
I hope this helps :)
Read more...
Patching Your OpenShift Origin Against Heartbleed vulnerability
2014-04-11T02:04:00+05:45
Cool Samar
fedora|heartbleed|openshift|openssl|security|
Comments
Labels:
fedora,
heartbleed,
openshift,
openssl,
security
Bookmark this post:blogger tutorials
Social Bookmarking Blogger Widget |
Subscribe to:
Posts (Atom)