peglarr
2 Iron

Isilon and OpenSSL Heartbleed

Jump to solution

Some of you may be wondering if Isilon nodes, at any rev of OneFS, are affected by the OpenSSL Heartbleed vulnerability.

The answer is no - no version of OneFS is affected. 

I hope all of you are taking this vuln seriously with your own web browsing behavior - many sites are indeed affected, as well as many popular open source/free source OSes. 

Tags (1)
1 Solution

Accepted Solutions
Yan_Faubert
2 Iron

Re: Isilon and OpenSSL Heartbleed

Jump to solution

KB# 186055 is available regarding InsightIQ.  (Impact of OpenSSL "heartbleed" vulnerability in InsightIQ Virtual Machines)

https://support.emc.com/kb/186055

0 Kudos
16 Replies

Re: Isilon and OpenSSL Heartbleed

Jump to solution

How do I check what version of OpenSSL is installed on my Isilon Cluster?

0 Kudos
dynamox
6 Gallium

Re: Isilon and OpenSSL Heartbleed

Jump to solution

openssl version -a

0 Kudos

Re: Isilon and OpenSSL Heartbleed

Jump to solution

Thanks, that did the trick!

isilon# oppenssl version -a

zsh: command not found: oppenssl

isilon21-1# openssl

OpenSSL> version -a

OpenSSL 0.9.8x 10 May 2012

built on: date not available

platform: FreeBSD-i386

options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)

compiler: cc

OPENSSLDIR: "/etc/ssl"

OpenSSL>

0 Kudos
dynamox
6 Gallium

Re: Isilon and OpenSSL Heartbleed

Jump to solution

Rob, looks like InsightIQ (version 3.0 appliance provided by EMC) is impacted ?

[administrator@insightiq ~]$ openssl version -a

OpenSSL 1.0.1e-fips 11 Feb 2013

0 Kudos
Yan_Faubert
2 Iron

Re: Isilon and OpenSSL Heartbleed

Jump to solution

My IIQ 3.0 VMware based appliance has this version:

[administrator@iiq30 ~]$ openssl version

OpenSSL 1.0.0-fips 29 Mar 2010

Did you perhaps update some of the OS packages afterwards with yum?

[administrator@iiq30 ~]$ sudo yum list openssl

Loaded plugins: fastestmirror

Determining fastest mirrors

* base: centos.mirror.ca.planethoster.net

* extras: centos.mirror.ca.planethoster.net

* updates: mirror.netaddicted.ca

Installed Packages

openssl.x86_64                                  1.0.0-27.el6                                       @anaconda-CentOS-201303050102.x86_64/6.4

Available Packages

openssl.i686                                    1.0.1e-16.el6_5.7                                  updates

openssl.x86_64                                  1.0.1e-16.el6_5.7                                  updates

0 Kudos
dynamox
6 Gallium

Re: Re: Isilon and OpenSSL Heartbleed

Jump to solution

here is the log of when i updated InsightIQ from 2.5.2 to 3.0, as you can see it was part of the upgrade process.

[administrator@insightiq ~]$ sudo yum upgrade isilon-insightiq-3.0.0.0036-1.x86_64.rpm

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.

[sudo] password for administrator:

Loaded plugins: fastestmirror

base                                                                                                | 3.7 kB     00:00

base/primary_db                                                                                     | 4.4 MB     00:01

extras                                                                                              | 3.4 kB     00:00

extras/primary_db                                                                                   |  19 kB     00:00

updates                                                                                             | 3.4 kB     00:00

updates/primary_db                                                                                  | 1.4 MB     00:01

Setting up Upgrade Process

Examining isilon-insightiq-3.0.0.0036-1.x86_64.rpm: isilon-insightiq-3.0.0.0036-1.x86_64

Marking isilon-insightiq-3.0.0.0036-1.x86_64.rpm as an update to isilon-insightiq-2.5.2.0003-1.x86_64

Resolving Dependencies

--> Running transaction check

---> Package isilon-insightiq.x86_64 0:2.5.2.0003-1 will be updated

---> Package isilon-insightiq.x86_64 0:3.0.0.0036-1 will be an update

--> Processing Dependency: autofs >= 1:5.0.5-73.el6 for package: isilon-insightiq-3.0.0.0036-1.x86_64

--> Processing Dependency: openssl-devel for package: isilon-insightiq-3.0.0.0036-1.x86_64

--> Processing Dependency: sssd for package: isilon-insightiq-3.0.0.0036-1.x86_64

--> Running transaction check

---> Package autofs.x86_64 1:5.0.5-54.el6 will be updated

---> Package autofs.x86_64 1:5.0.5-88.el6 will be an update

---> Package openssl-devel.x86_64 0:1.0.1e-16.el6_5.4 will be installed

--> Processing Dependency: openssl = 1.0.1e-16.el6_5.4 for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64

--> Processing Dependency: zlib-devel for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64

--> Processing Dependency: pkgconfig for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64

--> Processing Dependency: krb5-devel for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64

--> Processing Dependency: /usr/bin/pkg-config for package: openssl-devel-1.0.1e-16.el6_5.4.x86_64

0 Kudos
Yan_Faubert
2 Iron

Re: Re: Re: Isilon and OpenSSL Heartbleed

Jump to solution

In the output of 'openssl version -a', pay attention to the built on: line. 1.0.1e versions built before April 7th are vulnerable.

If you update to OpenSSL 1.0.1e-16.el6_5.7 you should get a version built on April 8th.

sudo yum clean all

sudo yum update openssl

The installed openssl should return the following:

[administrator@iiq30 ~]$ openssl version -a

OpenSSL 1.0.1e-fips 11 Feb 2013

built on: Tue Apr  8 02:39:29 UTC 2014

...

You have to manually restart InsightIQ after the update.  In my VMware based appliance, I use: sudo service insightiq restart

Keep in mind that restarting InsightIQ will cause web clients to lose access for a brief period.

CentOS / Red Hat links on the patched OpenSSL lib.

http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html

Red Hat Customer Portal

Highlighted
dynamox
6 Gallium

Re: Re: Re: Isilon and OpenSSL Heartbleed

Jump to solution

Yan, did you update your appliance even though it was not vulnerable ?

0 Kudos
Yan_Faubert
2 Iron

Re: Re: Re: Isilon and OpenSSL Heartbleed

Jump to solution

Yes, to test the update procedure.