Isilon and OpenSSL Heartbleed

How do I check what version of OpenSSL is installed on my Isilon Cluster?

openssl version -a

Thanks, that did the trick!

isilon# oppenssl version -a

zsh: command not found: oppenssl

isilon21-1# openssl

OpenSSL> version -a

OpenSSL 0.9.8x 10 May 2012

built on: date not available

platform: FreeBSD-i386

options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)

compiler: cc

OPENSSLDIR: "/etc/ssl"

OpenSSL>

Rob, looks like InsightIQ (version 3.0 appliance provided by EMC) is impacted ?

[administrator@insightiq ~]$ openssl version -a

OpenSSL 1.0.1e-fips 11 Feb 2013

My IIQ 3.0 VMware based appliance has this version:

[administrator@iiq30 ~]$ openssl version

OpenSSL 1.0.0-fips 29 Mar 2010

Did you perhaps update some of the OS packages afterwards with yum?

[administrator@iiq30 ~]$ sudo yum list openssl

Loaded plugins: fastestmirror

Determining fastest mirrors

* base: centos.mirror.ca.planethoster.net

* extras: centos.mirror.ca.planethoster.net

* updates: mirror.netaddicted.ca

Installed Packages

openssl.x86_64                                  1.0.0-27.el6                                       @anaconda-CentOS-201303050102.x86_64/6.4

Available Packages

openssl.i686                                    1.0.1e-16.el6_5.7                                  updates

openssl.x86_64                                  1.0.1e-16.el6_5.7                                  updates

here is the log of when i updated InsightIQ from 2.5.2 to 3.0, as you can see it was part of the upgrade process.

[administrator@insightiq ~]$ sudo yum upgrade isilon-insightiq-3.0.0.0036-1.x86_64.rpm

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for administrator:
Loaded plugins: fastestmirror
base                                                                                                | 3.7 kB     00:00
base/primary_db                                                                                     | 4.4 MB     00:01
extras                                                                                              | 3.4 kB     00:00
extras/primary_db                                                                                   |  19 kB     00:00
updates                                                                                             | 3.4 kB     00:00
updates/primary_db                                                                                  | 1.4 MB     00:01
Setting up Upgrade Process
Examining isilon-insightiq-3.0.0.0036-1.x86_64.rpm: isilon-insightiq-3.0.0.0036-1.x86_64
Marking isilon-insightiq-3.0.0.0036-1.x86_64.rpm as an update to isilon-insightiq-2.5.2.0003-1.x86_64
Resolving Dependencies
--> Running transaction check
---> Package isilon-insightiq.x86_64 0:2.5.2.0003-1 will be updated
---> Package isilon-insightiq.x86_64 0:3.0.0.0036-1 will be an update
--> Processing Dependency: autofs >= 1:5.0.5-73.el6 for package: isilon-insightiq-3.0.0.0036-1.x86_64
--> Processing Dependency: openssl-devel for package: isilon-insightiq-3.0.0.0036-1.x86_64
--> Processing Dependency: sssd for package: isilon-insightiq-3.0.0.0036-1.x86_64
--> Running transaction check
---> Package autofs.x86_64 1:5.0.5-54.el6 will be updated
---> Package autofs.x86_64 1:5.0.5-88.el6 will be an update
---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.4 will be installed
--> Processing Dependency: openssl = 1.0.1e-16.el6_5.4 for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64
--> Processing Dependency: zlib-devel for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64
--> Processing Dependency: pkgconfig for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64
--> Processing Dependency: krb5-devel for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64
--> Processing Dependency: /usr/bin/pkg-config for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64

InsightIQ application is happy ? No issues ?

Yes, to test the update procedure.

Yan, did you update your appliance even though it was not vulnerable ?

Thank you Yan, i am going to patch mine (with VM snapshot prior just in case).

Correct, no issues.  It has been running fine for the last hour since I restarted it.  I also added a new cluster to monitor to test that and the data is coming in fine.

Hi all,

I'd like to invite everyone to join us on Monday, May 19 to our continued Heartbleed discussion: Ask the Expert - Heartbleed: What It Is & How to detect it using RSA Security Analytics Also, make sure to watch our video introduction about Heartbleed detection.

RSVP today to reserve your spot and receive a reminder.

See you there!

Kind of funny how this thead says no version is vulnerable and then I see this...

OneFS contains vulnerable OpenSSL code (OpenSSL 1.0.1e) to support HTTPS client (not server) functionality limited to connecting to the ESRS Gateway within the customer’s infrastructure. The affected component of OneFS is called ConnectEMC. For more information about the OpenSSL vulnerability in Isilon OneFS, see article 185961, OneFS: Impact of CVE-2014-0160 OpenSSL "heartbleed" vulnerability on Isilon clusters.