Posted on 04-08-2014 08:20 AM
Posted on 04-08-2014 08:46 AM
Thanks for the link. Looking at the NCSC advisory, it looks at first glance that OS X may not actually be affected by this due it using an older version of OpenSSL. The advisory states this for what's affected:
OpenSSL versions from 1.0.1 to 1.0.1f. The vulnerability has been fixed in OpenSSL 1.0.1g.
It doesn't say it goes back further than 1.0.1, but I'm not sure if its just because those versions haven't been tested for the vuln yet or not.
I just checked some 10.8.x Macs and one running 10.9.2 and they are all running OpenSSL version 0.9.8y.
Can anyone who knows more about this confirm this information? Neither article I've read seems to list any flavor of OS X as being affected. If true, chalk it up to dumb luck that Apple seems to always ship an older version of these libraries with their OS.
But I'd imaging anyone running a Linux server or ten would want to pay attention to this since it seems to affect many varieties of Linux.
Posted on 04-08-2014 09:10 AM
From what I have seen
The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8
Posted on 04-08-2014 09:51 AM
It looks like JAMF's implementation of tomcat is fine, even under linux. But if you've used the same certs for say a https distribution on a system running the vulnerable version then you're going to want to patch and reissue certs.
Posted on 04-08-2014 11:11 AM
I was able to check our servers at the following link:
Our casper implementation "Seemed" ok.
Here's the gethub site: https://github.com/FiloSottile/Heartbleed
Posted on 04-10-2014 03:06 PM
My NetSUS is showing vulnerable. Is there a simple way to patch it?
Posted on 04-11-2014 02:36 AM
How to know what OpenSSL libraries are used by the Tomcat JSS server?
I know that one can run "openssl version" to get the current system openssl version, but is it enough?
On the webpage https://issues.apache.org/bugzilla/show_bug.cgi?id=56363, I see :
The binary builds of Tomcat Native 1.1.24 - 1.1.29 have been compiled with an OpenSSL version vulnerable to Heartbleed, and are thus probably vulnerable. See http://www.openssl.org/news/secadv_20140407.txt and http://heartbleed.com/ A new build using OpenSSL 1.0.1g would be very much appreciated.
Uncle Google does not help me a lot to quickly understand differences between JSSE, APR, and whatever cryptic stuff in server.xml file :-).
Posted on 04-11-2014 01:08 PM
Don't worry about OS X itself. 10.8 and below used a version of OpenSSL prior to 1.0 and 10.9 doesn't use it at all!
Posted on 04-11-2014 01:36 PM
Posted on 04-11-2014 01:43 PM
Posted on 04-11-2014 02:10 PM
I e-mailed our rep when it came out and I and asked if it we needed to patch, they said no. As far as I could tell the JSS was using JAVA for it's SSL, not OpenSSL.
Posted on 04-12-2014 08:49 AM
A Security Update regarding this issue has been posted to a separate discussion on JAMF Nation:
That discussion will be updated with any new information, as necessary.
Jason Van Zanten
Information Security Specialist
Posted on 04-15-2014 06:42 AM
Does anyone have a recipe for regenerating SSL certificates in the NetSUS VM appliance?
Posted on 04-15-2014 12:50 PM
@ianmb: The NetBoot/SUS Appliance uses Apache for the Web Application user interface, which includes a self-signed SSL certificate by default. The following is the default configuration in the /etc/apache2/sites-enabled/default-ssl file:
None of the other services provided by the NetBoot/SUS Appliance use SSL by default:
- SMB for uploading NetBoot images
- HTTP for distributing software updates and booting NetBoot clients
- AFP for storing shadow files during diskless NetBoot
The SSL certificate for the Web Application user interface can be updated using standard procedures for Apache: