Securing VMTurbo Operations Manager from the OpenSSL "Heartbleed" (CVE-2014-0160) vulnerability

This article describes steps to take to address a security vulnerability in OpenSSL which is packaged with the virtual machine provided by VMTurbo.  You may work with your company's Linux Security team to patch OpenSSL on your VMTurbo Server, or follow the instructions below that will have you:

1. Verify the versions of openSUSE and OpenSSL running on your VMTurbo Server

2. Apply a patch to OpenSSL via a VMTurbo Offline Update

Background

A critical security vulnerability has been discovered in OpenSSL, a library in widespread use across the industry to provide SSL encryption support.

The VMTurbo appliance is based on openSUSE 12.3, which uses OpenSSL, and should therefore be updated to ensure continued security.

Details

Detailed information on the vulnerability is outside of the scope of this document, but from a high level, there was a programming error within OpenSSL which means that a maliciously crafted endpoint could trick the server into sending arbitrary memory contents, which could then be examined for items such as private keys.

Verify openSUSE and OpenSSL Versions

Check that the OS version.  Log in to the command line of the VMTurbo Operations Manager using SSH (or directly to the console) with the credentials of user id: root and password: vmturbo (default, if you haven't changed it) and run the following command:

vmturbo:~ # cat /etc/SuSE-release

You should see output which looks like this:

openSUSE 12.3 (x86_64)
VERSION = 12.3
CODENAME = Dartmouth

NOTE: If your output differs in any way, please do not continue with these instructions because you are likely running an older version and/or older platform of Operations Manager and need to follow this KB Article in order to properly migrate to a supported configuration. IMPORTANT:After following these steps, you will need to come back here to update your version of OpenSSL.

Next, check the OpenSSL version:

vmturbo:~ # rpm -qa | grep openssl

You should see output which looks like this:

libopenssl1_0_0-1.0.1e-1.26.1.x86_64
openssl-1.0.1e-1.26.1.x86_64

If your output shows a version less than 1.0.1e-1.44.1.x86_64, your system is vulnerable and you should follow the instructions below to update it as soon as possible.

Installing the updated OpenSSL package

After verifying the OS and OpenSSL versions, please download the offline update from:

http://download.vmturbo.com/appliance/download/suse/updates/12.3/update64-99999.zip

This update contains only the updated OpenSSL libraries.  It will not change the build number of your existing Operations Manager.

Instructions for applying an offline update can be found in the KB article at:

https://support.vmturbo.com/hc/en-us/articles/200682076

You will want to start at Step 2 because you've already downloaded this update file.

After installing the patch reboot the OS to have all the services pick up the new OpenSSL library: 

vmturbo:~ # reboot

Your Operations Manager services will restart automatically. 

NOTE: The openSUSE project uses slightly different version numbers for OpenSSL.  The OpenSSL version for openSUSE that contains the fix is 1.0.1e-1.44.1.  You may see posted at various sites including heartbleed.com that all versions up to and including 1.0.1f of OpenSSL are vulnerable and that version 1.0.1g is required for the fix, which do not map exactly to OpenSSL packaged with openSUSE.

Have more questions? Submit a request

Comments

  • Avatar
    Danny Simpson

    Very helpful, thank you

  • Avatar
    Keith Carroll

    Excellent!