Help

vulnerability in the popular OpenSSL cryptographic software library.

hcodfrie
Contributor II

Posted on ‎04-08-2014 08:20 AM

Guys fyi

http://heartbleed.com

Labels:
0 Kudos
Reply
13 REPLIES 13

mm2270
Legendary Contributor III

Posted on ‎04-08-2014 08:46 AM

Thanks for the link. Looking at the NCSC advisory, it looks at first glance that OS X may not actually be affected by this due it using an older version of OpenSSL. The advisory states this for what's affected:

OpenSSL versions from 1.0.1 to 1.0.1f. The vulnerability has been fixed in OpenSSL 1.0.1g.

It doesn't say it goes back further than 1.0.1, but I'm not sure if its just because those versions haven't been tested for the vuln yet or not.
I just checked some 10.8.x Macs and one running 10.9.2 and they are all running OpenSSL version 0.9.8y.

Can anyone who knows more about this confirm this information? Neither article I've read seems to list any flavor of OS X as being affected. If true, chalk it up to dumb luck that Apple seems to always ship an older version of these libraries with their OS.

But I'd imaging anyone running a Linux server or ten would want to pay attention to this since it seems to affect many varieties of Linux.

0 Kudos
Reply

Services
New Contributor

Posted on ‎04-08-2014 09:10 AM

From what I have seen

The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8

http://heartbleed.com
http://www.pcworld.com/article/2140920/heartbleed-bug-in-openssl-puts-encrypted-communications-at-risk.html

0 Kudos
Reply

golbiga
Contributor III
Contributor III

Posted on ‎04-08-2014 09:51 AM

It looks like JAMF's implementation of tomcat is fine, even under linux. But if you've used the same certs for say a https distribution on a system running the vulnerable version then you're going to want to patch and reissue certs.

0 Kudos
Reply

jbestine
New Contributor III

Posted on ‎04-08-2014 11:11 AM

I was able to check our servers at the following link:

http://filippo.io/Heartbleed/

Our casper implementation "Seemed" ok.

Here's the gethub site: https://github.com/FiloSottile/Heartbleed

0 Kudos
Reply

cstout
Contributor III
Contributor III

Posted on ‎04-10-2014 03:06 PM

My NetSUS is showing vulnerable. Is there a simple way to patch it?

0 Kudos
Reply

Olivier
New Contributor II

Posted on ‎04-11-2014 02:36 AM

How to know what OpenSSL libraries are used by the Tomcat JSS server?

I know that one can run "openssl version" to get the current system openssl version, but is it enough?
On the webpage https://issues.apache.org/bugzilla/show_bug.cgi?id=56363, I see :

The binary builds of Tomcat Native 1.1.24 - 1.1.29 have been compiled with an OpenSSL version vulnerable to Heartbleed, and are thus probably vulnerable. See http://www.openssl.org/news/secadv_20140407.txt and http://heartbleed.com/ A new build using OpenSSL 1.0.1g would be very much appreciated.

Uncle Google does not help me a lot to quickly understand differences between JSSE, APR, and whatever cryptic stuff in server.xml file :-).

0 Kudos
Reply

franton
Valued Contributor III

Posted on ‎04-11-2014 01:08 PM

Don't worry about OS X itself. 10.8 and below used a version of OpenSSL prior to 1.0 and 10.9 doesn't use it at all!

0 Kudos
Reply

lisacherie
Contributor II

Posted on ‎04-11-2014 01:36 PM

@cstout

You can try this:

apt-get update
apt-get dist-upgrade

Or if comfortable..

apt-get upgrade
0 Kudos
Reply

cstout
Contributor III
Contributor III

Posted on ‎04-11-2014 01:43 PM

@lisacherie Easy enough! Thank you for sharing that.

0 Kudos
Reply

ctangora
Contributor III

Posted on ‎04-11-2014 02:10 PM

I e-mailed our rep when it came out and I and asked if it we needed to patch, they said no. As far as I could tell the JSS was using JAVA for it's SSL, not OpenSSL.

0 Kudos
Reply

jason_vanzanten
New Contributor III
New Contributor III

Posted on ‎04-12-2014 08:49 AM

Hi everybody,

A Security Update regarding this issue has been posted to a separate discussion on JAMF Nation:

https://jamfnation.jamfsoftware.com/discussion.html?id=10317

That discussion will be updated with any new information, as necessary.

Jason Van Zanten
Information Security Specialist
JAMF Software

0 Kudos
Reply

ianmb
Contributor

Posted on ‎04-15-2014 06:42 AM

Does anyone have a recipe for regenerating SSL certificates in the NetSUS VM appliance?

0 Kudos
Reply

jason_vanzanten
New Contributor III
New Contributor III

Posted on ‎04-15-2014 12:50 PM

@ianmb: The NetBoot/SUS Appliance uses Apache for the Web Application user interface, which includes a self-signed SSL certificate by default. The following is the default configuration in the /etc/apache2/sites-enabled/default-ssl file:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

None of the other services provided by the NetBoot/SUS Appliance use SSL by default:
- SMB for uploading NetBoot images
- HTTP for distributing software updates and booting NetBoot clients
- AFP for storing shadow files during diskless NetBoot

The SSL certificate for the Web Application user interface can be updated using standard procedures for Apache:

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#aboutcerts

0 Kudos
Reply