Guys fyi
Question
vulnerability in the popular OpenSSL cryptographic software library.
+16
+24Thanks for the link. Looking at the NCSC advisory, it looks at first glance that OS X may not actually be affected by this due it using an older version of OpenSSL. The advisory states this for what's affected:
OpenSSL versions from 1.0.1 to 1.0.1f. The vulnerability has been fixed in OpenSSL 1.0.1g.
It doesn't say it goes back further than 1.0.1, but I'm not sure if its just because those versions haven't been tested for the vuln yet or not.
I just checked some 10.8.x Macs and one running 10.9.2 and they are all running OpenSSL version 0.9.8y.
Can anyone who knows more about this confirm this information? Neither article I've read seems to list any flavor of OS X as being affected. If true, chalk it up to dumb luck that Apple seems to always ship an older version of these libraries with their OS.
But I'd imaging anyone running a Linux server or ten would want to pay attention to this since it seems to affect many varieties of Linux.
+1From what I have seen
The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8
http://heartbleed.com
http://www.pcworld.com/article/2140920/heartbleed-bug-in-openssl-puts-encrypted-communications-at-risk.html
+21It looks like JAMF's implementation of tomcat is fine, even under linux. But if you've used the same certs for say a https distribution on a system running the vulnerable version then you're going to want to patch and reissue certs.
+8I was able to check our servers at the following link:
http://filippo.io/Heartbleed/
Our casper implementation "Seemed" ok.
Here's the gethub site: https://github.com/FiloSottile/Heartbleed
+6How to know what OpenSSL libraries are used by the Tomcat JSS server?
I know that one can run "openssl version" to get the current system openssl version, but is it enough?
On the webpage https://issues.apache.org/bugzilla/show_bug.cgi?id=56363, I see :
The binary builds of Tomcat Native 1.1.24 - 1.1.29 have been compiled with an OpenSSL version vulnerable to Heartbleed, and are thus probably vulnerable. See http://www.openssl.org/news/secadv_20140407.txt and http://heartbleed.com/ A new build using OpenSSL 1.0.1g would be very much appreciated.
Uncle Google does not help me a lot to quickly understand differences between JSSE, APR, and whatever cryptic stuff in server.xml file :-).
Don't worry about OS X itself. 10.8 and below used a version of OpenSSL prior to 1.0 and 10.9 doesn't use it at all!
+19
+10I e-mailed our rep when it came out and I and asked if it we needed to patch, they said no. As far as I could tell the JSS was using JAVA for it's SSL, not OpenSSL.
+12Hi everybody,
A Security Update regarding this issue has been posted to a separate discussion on JAMF Nation:
https://jamfnation.jamfsoftware.com/discussion.html?id=10317
That discussion will be updated with any new information, as necessary.
Jason Van Zanten
Information Security Specialist
JAMF Software
+12@ianmb: The NetBoot/SUS Appliance uses Apache for the Web Application user interface, which includes a self-signed SSL certificate by default. The following is the default configuration in the /etc/apache2/sites-enabled/default-ssl file:
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
None of the other services provided by the NetBoot/SUS Appliance use SSL by default:
- SMB for uploading NetBoot images
- HTTP for distributing software updates and booting NetBoot clients
- AFP for storing shadow files during diskless NetBoot
The SSL certificate for the Web Application user interface can be updated using standard procedures for Apache:
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#aboutcerts
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.