A vulnerability dubbed “Heartbleed” was found in the popular OpenSSL cryptographic software library.
You can read more general information about the vulnerability at www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now and www.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers.
Specific versions of OpenSSL could be exploited by the "Heartbleed" vulnerability:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
1. App Center SaaS deployments – No action needed
The hosting provider has updated the load balancing infrastructure that handles SSL communication. Also, as a precautionary measure, certs/keys have been updated.
2. App Center On-Premise deployments – Action needed
App Center deployed on Centos and RHEL 6.4, includes an affected version of OpenSSL library(v1.0.1e). Customers running this specific configuration should apply the patch immediately.
- To check the version: "openssl version -a"
- To update openssl: "yum update openssl"
- You should restart Apache or reboot the server after the update.
Customers should also ensure that other 3rd party network components such as reverse proxies & load balancers ( such as F5) are patched appropriately (if necessary). As a best practice, after updating the library, the cert/keys should be replaced.
Note: New installations of App Center will include the patched OpenSSL library.
RedHat Enterprise Linux