This post is more than 5 years old
99 Posts
1
6469
Isilon and OpenSSL Heartbleed
Some of you may be wondering if Isilon nodes, at any rev of OneFS, are affected by the OpenSSL Heartbleed vulnerability.
The answer is no - no version of OneFS is affected.
I hope all of you are taking this vuln seriously with your own web browsing behavior - many sites are indeed affected, as well as many popular open source/free source OSes.
Yan_Faubert
117 Posts
0
April 15th, 2014 06:00
KB# 186055 is available regarding InsightIQ. (Impact of OpenSSL "heartbleed" vulnerability in InsightIQ Virtual Machines)
https://support.emc.com/kb/186055
rafaelvelazquez
3 Posts
0
April 9th, 2014 15:00
How do I check what version of OpenSSL is installed on my Isilon Cluster?
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
April 9th, 2014 16:00
openssl version -a
rafaelvelazquez
3 Posts
0
April 9th, 2014 16:00
Thanks, that did the trick!
isilon# oppenssl version -a
zsh: command not found: oppenssl
isilon21-1# openssl
OpenSSL> version -a
OpenSSL 0.9.8x 10 May 2012
built on: date not available
platform: FreeBSD-i386
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: cc
OPENSSLDIR: "/etc/ssl"
OpenSSL>
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
April 10th, 2014 04:00
Rob, looks like InsightIQ (version 3.0 appliance provided by EMC) is impacted ?
[administrator@insightiq ~]$ openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
Yan_Faubert
117 Posts
0
April 10th, 2014 09:00
My IIQ 3.0 VMware based appliance has this version:
[administrator@iiq30 ~]$ openssl version
OpenSSL 1.0.0-fips 29 Mar 2010
Did you perhaps update some of the OS packages afterwards with yum?
[administrator@iiq30 ~]$ sudo yum list openssl
Loaded plugins: fastestmirror
Determining fastest mirrors
* base: centos.mirror.ca.planethoster.net
* extras: centos.mirror.ca.planethoster.net
* updates: mirror.netaddicted.ca
Installed Packages
openssl.x86_64 1.0.0-27.el6 @anaconda-CentOS-201303050102.x86_64/6.4
Available Packages
openssl.i686 1.0.1e-16.el6_5.7 updates
openssl.x86_64 1.0.1e-16.el6_5.7 updates
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
April 10th, 2014 10:00
here is the log of when i updated InsightIQ from 2.5.2 to 3.0, as you can see it was part of the upgrade process.
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
April 10th, 2014 12:00
InsightIQ application is happy ? No issues ?
Yan_Faubert
117 Posts
1
April 10th, 2014 12:00
Yes, to test the update procedure.
Yan_Faubert
117 Posts
1
April 10th, 2014 12:00
In the output of 'openssl version -a', pay attention to the built on: line. 1.0.1e versions built before April 7th are vulnerable.
If you update to OpenSSL 1.0.1e-16.el6_5.7 you should get a version built on April 8th.
sudo yum clean all
sudo yum update openssl
The installed openssl should return the following:
You have to manually restart InsightIQ after the update. In my VMware based appliance, I use: sudo service insightiq restart
Keep in mind that restarting InsightIQ will cause web clients to lose access for a brief period.
CentOS / Red Hat links on the patched OpenSSL lib.
http://lists.centos.org/pipermail/centos-announce/2014-April/020249.html
Red Hat Customer Portal
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
April 10th, 2014 12:00
Yan, did you update your appliance even though it was not vulnerable ?
dynamox
2 Intern
2 Intern
•
20.4K Posts
0
April 10th, 2014 13:00
Thank you Yan, i am going to patch mine (with VM snapshot prior just in case).
Yan_Faubert
117 Posts
1
April 10th, 2014 13:00
Correct, no issues. It has been running fine for the last hour since I restarted it. I also added a new cluster to monitor to test that and the data is coming in fine.
RobertoAraujo1
2 Intern
2 Intern
•
718 Posts
1
May 14th, 2014 09:00
Hi all,
I'd like to invite everyone to join us on Monday, May 19 to our continued Heartbleed discussion: Ask the Expert - Heartbleed: What It Is & How to detect it using RSA Security Analytics Also, make sure to watch our video introduction about Heartbleed detection.
RSVP today to reserve your spot and receive a reminder.
See you there!
PDIsilon
3 Posts
0
September 5th, 2014 15:00
Kind of funny how this thead says no version is vulnerable and then I see this...
OneFS contains vulnerable OpenSSL code (OpenSSL 1.0.1e) to support HTTPS client (not server) functionality limited to connecting to the ESRS Gateway within the customer’s infrastructure. The affected component of OneFS is called ConnectEMC. For more information about the OpenSSL vulnerability in Isilon OneFS, see article 185961, OneFS: Impact of CVE-2014-0160 OpenSSL "heartbleed" vulnerability on Isilon clusters.