AppCenter - Information About "Heartbleed", OpenSSL Vulnerability

Article:TECH216616  |  Created: 2014-04-11  |  Updated: 2014-04-11  |  Article URL http://www.symantec.com/docs/TECH216616
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



A vulnerability dubbed “Heartbleed” was found in the popular OpenSSL cryptographic software library.

You can read more general information about the vulnerability at www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now and www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers.

Specific versions of OpenSSL could be exploited by the "Heartbleed" vulnerability:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Environment



Symantec AppCenter

RedHat Enterprise Linux

CentOS

OpenSSL


Solution



1. App Center SaaS deployments –  No action needed

The hosting provider has updated the load balancing infrastructure that handles SSL communication. Also, as a precautionary measure, certs/keys have been updated. 

 
2. App Center On-Premise deployments – Action needed

App Center deployed on Centos and RHEL 6.4, includes an affected version of OpenSSL library(v1.0.1e). Customers running this specific configuration should apply the patch immediately.

  • To check the version: "openssl version -a"
  • To update openssl: "yum update openssl"
  • You should restart Apache or reboot the server after the update.

Customers should also ensure that other 3rd party network components such as reverse proxies & load balancers ( such as F5) are patched appropriately (if necessary). As a best practice, after updating the library, the cert/keys should be replaced.

Note: New installations of App Center will include the patched OpenSSL library.


Supplemental Materials

SourceETrack
Value 3484844


Article URL http://www.symantec.com/docs/TECH216616


Terms of use for this information are found in Legal Notices