Topic
9 replies Latest Post - ‏2014-04-23T00:54:08Z by mduff
mduff
mduff
34 Posts
ACCEPTED ANSWER

Pinned topic Heartbleed issue

‏2014-04-11T17:44:29Z |

Hello,

This is more of a sanity check, but I just wanted to make sure there are no issues around the Heartbleed (http://heartbleed.com/) problem.

From an SSL perspective, all GPFS needs is a functioning SSH and SSL, correct?

Thank you.

  • bhartner
    bhartner
    58 Posts
    ACCEPTED ANSWER

    Re: Heartbleed issue

    ‏2014-04-15T13:45:26Z  in response to mduff

    Please see https://www-304.ibm.com/support/docview.wss?uid=isg3T1020681

  • YannickBergeron
    YannickBergeron
    35 Posts
    ACCEPTED ANSWER

    Re: Heartbleed issue

    ‏2014-04-15T14:26:47Z  in response to mduff

    There is the following advisory: https://www-304.ibm.com/support/docview.wss?uid=isg3T1020681

     

    However, please note that I've seen on several website that OpenSSH and SSH keys are not affected... so this advisory is kinda confusing with what I've seen so far.



    I would also like to understand what if you're using a self-compiled (OpenSSH 6.5p1 with openssl 1.0.1f) before Thursday April 10, 2014 updated to OpenSSH 6.6p1 with openssl 1.0.1g on Thursday 10, 2014 would be in scope.

    • yuri
      yuri
      185 Posts
      ACCEPTED ANSWER

      Re: Heartbleed issue

      ‏2014-04-15T15:53:43Z  in response to YannickBergeron

      GPFS can be affected directly by the Heartbleed vulnerability if GPFS is configured to do connection authentication (cipherList is set).  As explained in the official advisory, it would be prudent to regenerate GPFS cluster keys after upgrading OpenSSL.  GPFS can also use ssh, and of course OpenSSH uses OpenSSL, but there's nothing specific to GPFS in that area; whether OpenSSH keys needs to be regenerated is for OpenSSH folks to prescribe.

      yuri

      • YannickBergeron
        YannickBergeron
        35 Posts
        ACCEPTED ANSWER

        Re: Heartbleed issue

        ‏2014-04-15T17:37:03Z  in response to yuri

        So if the output of "mmauth show all" if similar to this one, GPFS is not considered affected by the heartbleed vulnerability, right?

        # mmauth show all
        Cluster name:        my.cluster.name.com (this cluster)
        Cipher list:         (none specified)
        SHA digest:          (undefined)
        File system access:  (all rw)

        • yuri
          yuri
          185 Posts
          ACCEPTED ANSWER

          Re: Heartbleed issue

          ‏2014-04-15T17:41:09Z  in response to YannickBergeron

          Correct.  You don't have cipher list set (this can also be checked via mmlsconfig, looks for cipherList), and thus are not affected.

          yuri

          • oester
            oester
            79 Posts
            ACCEPTED ANSWER

            Re: Heartbleed issue

            ‏2014-04-15T17:46:33Z  in response to yuri

            If you are using openssl version prior to 1.0.1, then you are NOT impacted, correct?

            [root ~]# rpm -qa | grep openssl
            openssl-1.0.0-25.el6_3.1.x86_64

             

            Because OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable to the Heartbleed Bug

            Updated on 2014-04-15T17:47:34Z at 2014-04-15T17:47:34Z by oester
            • yuri
              yuri
              185 Posts
              ACCEPTED ANSWER

              Re: Heartbleed issue

              ‏2014-04-15T18:09:14Z  in response to oester

              That question should really be directed at the vendor who supplied the OpenSSL packages, in this case RedHat.  The version string per se is not always meaningful, because Linux distro vendors sometimes pull in upstream patches.  My reading of the RHEL advisory (https://access.redhat.com/site/solutions/781793) suggests that openssl-1.0.0-25.el6_3.1 should not be affected, but you really want to double-check with RH to be positive.

              yuri

    • yuri
      yuri
      185 Posts
      ACCEPTED ANSWER

      Re: Heartbleed issue

      ‏2014-04-22T22:39:44Z  in response to YannickBergeron

      There has been some unfortunate churn in the Heartbleed-related advisories issued for GPFS... our sincere apologies.  Long story short, the latest update (from today, Apr 22 2014) attempts to set the story straight.  While GPFS for Linux and AIX does not ship OpenSSL, and no GPFS code update per se is needed, GPFS can be configured to use OpenSSL, and in that case sensitive information leakage is possible, and some action (described in the advisory) to regenerate potentially exposed keys would be prudent.

      yuri

  • mduff
    mduff
    34 Posts
    ACCEPTED ANSWER

    Re: Heartbleed issue

    ‏2014-04-23T00:54:08Z  in response to mduff

    Thank you Yuri.

    The link above does not work any more.

    Here is the active link:  https://www-304.ibm.com/support/docview.wss?uid=isg3T1020713