Vulnerability Description

The bug is in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

For more details, please refer to:http://heartbleed.com/

WARNING: Applying this update will stop any services that use the OpenSSL library and will require a manual restart after the update is applied.

1. Updating the Hardware & Virtual Appliance

Appliance Software Versions Affected:

v7.5, v7.5.1, v7.5.2, v7.5.3, v7.5.4

Hotfix Details:

The hotfix includes a recompiled version of OpenSSL with the compile option "-DOPENSSL_NO_HEARTBEATS" which mitigates the vulnerability. This approach enables us to release a patch more quickly than upgrading OpenSSL which would require Pound and STunnel to be rebuild and fully retested.  The hotfix files can be accessed at the following URL's:

Archive file: http://downloads.loadbalancer.org/releases/hotfix/loadbalancer.org-patch-7.5_openssl1.0.1e-heartbeat.tar.gz

Checksum file: http://downloads.loadbalancer.org/releases/hotfix/loadbalancer.org-patch-7.5_openssl1.0.1e-heartbeat.tar.gz.md5

Applying the Hotfix (should ONLY be applied to versions listed above):

  1. Download both files mentioned above
  2. Open the WUI option: Maintenance > Software Update > Offline Update
  3. Browse to and select the files
  4. Click Upload and Install
  5. Restart Pound and STunnel

NOTE: After applying the patch, the version of OpenSSL will remain the same but the compile date and options will be different as reported in the update confirmation message as shown below:

OpenSSL updated.
Version: OpenSSL 1.0.1e 11 Feb 2013
Built on: Wed Apr 9 09:52:48 BST 2014
Platform: linux-x86_64options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_HEARTBEATS-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASMOPENSSLDIR: "/etc/pki/tls"

The version of OpenSSL can also be verified by running the command openssl version -a at the console, via an SSH session or using the WUI option: Local Configuration > Execute Shell Command as shown below:

[root@lbmaster ~]# openssl version -a
OpenSSL 1.0.1e 11 Feb 2013
built on: Wed Apr  9 09:52:48 BST 2014
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_HEARTBEATS -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"

Regenerate Keys & Certificates:

To ensure complete protection all SSL certificates that have been used with a vulnerable version of OpenSSL should be regenerated using a new private key.

2) Updating the Amazon Ec2 Appliance

EC2 Appliance Software Versions Affected:

All versions

Updating the Software:

  1. Start an SSH session - to do this please refer to page 29 in the EC2 Quickstart Guide
  2. Run the following commands:
    sudo yum update openssl
    service pound restart
    service httpd restart

Regenerate Keys & Certificates:

To ensure complete protection all SSL certificates that have been used with a vulnerable version of OpenSSL should be regenerated using a new private key.

For further information please contact Loadbalancer.org Support