vulnerability in the popular OpenSSL cryptographic software library.

hcodfrie
Contributor

Guys fyi

http://heartbleed.com

13 REPLIES 13

mm2270
Legendary Contributor III

Thanks for the link. Looking at the NCSC advisory, it looks at first glance that OS X may not actually be affected by this due it using an older version of OpenSSL. The advisory states this for what's affected:

OpenSSL versions from 1.0.1 to 1.0.1f. The vulnerability has been fixed in OpenSSL 1.0.1g.

It doesn't say it goes back further than 1.0.1, but I'm not sure if its just because those versions haven't been tested for the vuln yet or not.
I just checked some 10.8.x Macs and one running 10.9.2 and they are all running OpenSSL version 0.9.8y.

Can anyone who knows more about this confirm this information? Neither article I've read seems to list any flavor of OS X as being affected. If true, chalk it up to dumb luck that Apple seems to always ship an older version of these libraries with their OS.

But I'd imaging anyone running a Linux server or ten would want to pay attention to this since it seems to affect many varieties of Linux.

Services
New Contributor

From what I have seen

The vulnerable versions of OpenSSL are 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8

http://heartbleed.com
http://www.pcworld.com/article/2140920/heartbleed-bug-in-openssl-puts-encrypted-communications-at-risk.html

golbiga
Contributor III
Contributor III

It looks like JAMF's implementation of tomcat is fine, even under linux. But if you've used the same certs for say a https distribution on a system running the vulnerable version then you're going to want to patch and reissue certs.

jbestine
New Contributor III

I was able to check our servers at the following link:

http://filippo.io/Heartbleed/

Our casper implementation "Seemed" ok.

Here's the gethub site: https://github.com/FiloSottile/Heartbleed

cstout
Contributor III
Contributor III

My NetSUS is showing vulnerable. Is there a simple way to patch it?

Olivier
New Contributor II

How to know what OpenSSL libraries are used by the Tomcat JSS server?

I know that one can run "openssl version" to get the current system openssl version, but is it enough?
On the webpage https://issues.apache.org/bugzilla/show_bug.cgi?id=56363, I see :

The binary builds of Tomcat Native 1.1.24 - 1.1.29 have been compiled with an OpenSSL version vulnerable to Heartbleed, and are thus probably vulnerable. See http://www.openssl.org/news/secadv_20140407.txt and http://heartbleed.com/ A new build using OpenSSL 1.0.1g would be very much appreciated.

Uncle Google does not help me a lot to quickly understand differences between JSSE, APR, and whatever cryptic stuff in server.xml file :-).

franton
Valued Contributor III

Don't worry about OS X itself. 10.8 and below used a version of OpenSSL prior to 1.0 and 10.9 doesn't use it at all!

lisacherie
Contributor II

@cstout

You can try this:

apt-get update
apt-get dist-upgrade

Or if comfortable..

apt-get upgrade

cstout
Contributor III
Contributor III

@lisacherie Easy enough! Thank you for sharing that.

ctangora
Contributor III

I e-mailed our rep when it came out and I and asked if it we needed to patch, they said no. As far as I could tell the JSS was using JAVA for it's SSL, not OpenSSL.

jason_vanzanten
New Contributor III
New Contributor III

Hi everybody,

A Security Update regarding this issue has been posted to a separate discussion on JAMF Nation:

https://jamfnation.jamfsoftware.com/discussion.html?id=10317

That discussion will be updated with any new information, as necessary.

Jason Van Zanten
Information Security Specialist
JAMF Software

ianmb
Contributor

Does anyone have a recipe for regenerating SSL certificates in the NetSUS VM appliance?

jason_vanzanten
New Contributor III
New Contributor III

@ianmb: The NetBoot/SUS Appliance uses Apache for the Web Application user interface, which includes a self-signed SSL certificate by default. The following is the default configuration in the /etc/apache2/sites-enabled/default-ssl file:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

None of the other services provided by the NetBoot/SUS Appliance use SSL by default:
- SMB for uploading NetBoot images
- HTTP for distributing software updates and booting NetBoot clients
- AFP for storing shadow files during diskless NetBoot

The SSL certificate for the Web Application user interface can be updated using standard procedures for Apache:

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#aboutcerts