[James Bayer]Cloud Foundry和BOSH部分遭受OpenSSL漏洞影响

James Bayer jbayer@gopivotal.com

greg oehmen (BOSH PM) has put together an excellent explanation on how Cloud Foundry and BOSH stemcells are affected by the OpenSSL heartbleed the CVE.

the short summary is:

  • Ubuntu stemcells based on 10.04 LTS are NOT VULNERABLE
  • CentOS stemcells based on CentOS 6.x are VULNERABLE

see below for more detail from greg. thanks for putting this together so quickly greg!

On Tue, Apr 8, 2014 at 12:15 PM, Greg Oehmen goehmen@pivotallabs.com wrote:

The vulnerability issue related to OpenSSL has recently been exposed. See a full description here: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 and here: http://heartbleed.com/

In terms of the exposure that BOSH stemcells are experiencing, here are the OpenSSL versions and their specific exposure: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

BOSH UBUNTU STEMCELLS

The BOSH ubuntu stemcell uses OpenSSL 0.9.8k and thus is not vulnerable.

BOSH team currently has stories in the backlog (https://www.pivotaltracker.com/story/show/69022850 and https://www.pivotaltracker.com/story/show/62015812) to migrate to ubuntu 14.04 for both AWS and Vsphere for the new Go agent. The team will be verifying that the new 14.04 stemcells will have OpenSSL 1.0.1g or higher. But again note that current ubuntu stemcells are NOT vulnerable.

BOSH CENTOS STEMCELLS

The BOSH centos stemcell uses OpenSSL 1.0.1e and thus is vulnerable.

THe BOSH team currently has a story in the backlog (https://www.pivotaltracker.com/story/show/69106298) to upgrade the centos stemcell as soon as centos.org announces a patched version of centos. I will send out communication when we confirm that a patched version of centos is available to the BOSH team and when a fixed stemcell is GA.

Best, Greg

— Greg Oehmen Cloud Foundry Product Manager – Bosh Pivotal

浙江大学SEL实验室是本网站上所有页面设计、页面内容的著作权人,对该网站所载的作品,包括但不限于网站所载的文字、数据、图形、照片、有声文件、动画文件、音视频资料等拥有完整的版权,受著作权法保护。严禁任何媒体、网站、个人或组织以任何形式或出于任何目的在未经本实验室书面授权的情況下抄袭、转载、摘编、修改本网站內容,或链接、转帖或以其他方式复制用于商业目的或发行,或稍作修改后在其它网站上使用,前述行为均将构成对本网站版权之侵犯,本网站將依法追究其法律责任。
本网站与他人另有协议授权下载的或法律另有规定的,在下载使用时必须注明“稿件来源:浙江大学SEL实验室”。

Leave a Reply

Your email address will not be published. Required fields are marked *