0
CloudStack and “HeartBleed”
We’re here to talk about…
What is Vulnerable
• Apache CloudStack 4.2 – 4.3
• SystemVMs have vulnerable version of OpenSSL installed
• In particular,...
FRIENDS DON’T LET FRIENDS
USE REALHOSTIP
Status
• Apache CloudStack has issued patch instructions
• We’re working on updated SystemVM templates
How to patch
• ssh to SystemVM
• apt-get update
• apt-get install openssl libssl1.0.0
• /etc/init.d/apache2 restart
How to verify
dpkg -l|grep ssl
ii libssl1.0.0:i386 1.0.1e-2+deb7u6 i386 SSL shared libraries
ii openssl 1.0.1e-2+deb7u6 i3...
External tests
• http://filippo.io/Heartbleed/
• https://gist.github.com/takeshixx/10107280 - run yourself
Honeypot
Using http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt
$ sudo perl heartbleed_honeypot.pl
182.118.6...
Honeypot sniff
Honeypot sniff
Honeypot sniff
ASF Infrastructure team:
“Thank you for your patience while we have worked to sort this out.
We expect to reset all LDAP p...
kthxbye!
• http://cloudstack.apache.org
jlk@stratosec.co
@johnlkinsella
Upcoming SlideShare
Loading in...5
×

CloudStack and the HeartBleed vulnerability

533

Published on

Slides from my talk about how the HeartBleed OpenSSL vulnerability affects Apache CloudStack and how to mitigate the vulnerability. From CloudStack Collaboration Conference 2014 in Denver, CO

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
533
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "CloudStack and the HeartBleed vulnerability"

  1. 1. CloudStack and “HeartBleed”
  2. 2. We’re here to talk about…
  3. 3. What is Vulnerable • Apache CloudStack 4.2 – 4.3 • SystemVMs have vulnerable version of OpenSSL installed • In particular, SSVM is running vulnerable services
  4. 4. FRIENDS DON’T LET FRIENDS USE REALHOSTIP
  5. 5. Status • Apache CloudStack has issued patch instructions • We’re working on updated SystemVM templates
  6. 6. How to patch • ssh to SystemVM • apt-get update • apt-get install openssl libssl1.0.0 • /etc/init.d/apache2 restart
  7. 7. How to verify dpkg -l|grep ssl ii libssl1.0.0:i386 1.0.1e-2+deb7u6 i386 SSL shared libraries ii openssl 1.0.1e-2+deb7u6 i386 Secure Socket Layer (SSL) binary
  8. 8. External tests • http://filippo.io/Heartbleed/ • https://gist.github.com/takeshixx/10107280 - run yourself
  9. 9. Honeypot Using http://packetstormsecurity.com/files/126068/hb_honeypot.pl.txt $ sudo perl heartbleed_honeypot.pl 182.118.60.51 182.118.60.51 182.118.60.51 182.118.60.51
  10. 10. Honeypot sniff
  11. 11. Honeypot sniff
  12. 12. Honeypot sniff
  13. 13. ASF Infrastructure team: “Thank you for your patience while we have worked to sort this out. We expect to reset all LDAP passwords within the next 48 hours or so, so do not be alarmed when your password stops working.”
  14. 14. kthxbye! • http://cloudstack.apache.org jlk@stratosec.co @johnlkinsella
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×