Overview

According to this OpenSSL Security Advisory, there is a serious vulnerability in the popular OpenSSL cryptographic software library. Only versions 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Unfortunately, some operating system distributions may have been shipped with a potentially vulnerable version of OpenSSL including Ubuntu 12.04-LTS and CentOS 6.5. More information about the vulnerability can be found at http://heartbleed.com/

Both distributions have already released patch versions of the package which are now available in RightScale software repository mirrors.

Resolution

To apply the changes on running servers, you can manually update the built-in OpenSSL version. To apply the update to new servers that are launched, you can change the software repository date to install the latest OpenSSL version.

Note: If you are using a version of a v13 ServerTemplate (published by RightScale) your server may already have the security updates feature enabled. If enabled (Enable security updates = text:enable), you can reboot the server to automatically apply the patch to a running server.

Ubuntu

For Running Servers

On a running Ubuntu 12.04-LTS server, navigate to the server's Scripts tab in the dashboard and run the recipe rightscale::setup_security_updates which you can find in the Boot Scripts section. In the confirmation window, click the Show advanced option and select **text: enable** from the dropdown then click Continue. (Note: This will ONLY unfreeze the security repository, which will allow the latest security updates to be installed.)

After the recipe is successfully completed, verify if the repository was properly changed:

root@ip-172-31-31-200:~# cat /etc/apt/sources.list.d/rightscale.sources.list |grep -i security
deb http://cf-mirror.rightscale.com/ubuntu_daily/latest precise-security main restricted multiverse universe
deb http://island5.rightscale.com/ubuntu_daily/latest precise-security main restricted multiverse universe

Once the security repository has been changed, you can proceed to apply the security update on the server by running the rightscale::do_security_updates operational script, which will do a system package update to download and install the latest security patches.

Again, once the recipe is completed, you can ssh into the server to verify that the 'openssl' package was properly updated to the latest version:

root@ip-172-31-17-180:/etc/apt# dpkg -l libssl1.0.0 openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name    Version                  Description
+++-=======-========================-================================================================
ii libssl   1.0.0 1.0.1-4ubuntu5.12  SSL shared libraries
ii openssl  1.0.1-4ubuntu5.12        Secure Socket Layer (SSL) binary and related cryptographic tools

For New Servers

For new servers that you're going to launch, make sure to enable the security update input, which can be found in the RIGHTSCALE category. (Note: It's an advanced input so you must click on the Show advanced inputs option to see it in the dashboard.

Enable security updates
rightscale/security_updates
text:enable

CentOS

Unfortunately, the steps outlined above cannot be used for CentOS without running the risk of updating other packages, which might break package compatibility. The problem with CentOS is that it does not allow you to do a security update alone (whereas Ubuntu does because of a separate security repository). The only way to apply the latest security updates is to unfreeze all repos and update from latest.

Or you can create a RightScript and use it as a boot script to download and install the openssl package and library directly from the CentOS 7 Mirror RightScale CentoOS 6 mirror:

openssl-1.0.1e-16.el6_5.7.x86_64.rpm
openssl-devel-1.0.1e-16.el6_5.7.x86_64.rpm