Topic
  • 9 replies
  • Latest Post - ‏2014-04-23T00:54:08Z by mduff
mduff
mduff
35 Posts

Pinned topic Heartbleed issue

‏2014-04-11T17:44:29Z |

Hello,

This is more of a sanity check, but I just wanted to make sure there are no issues around the Heartbleed (http://heartbleed.com/) problem.

From an SSL perspective, all GPFS needs is a functioning SSH and SSL, correct?

Thank you.

  • bhartner
    bhartner
    58 Posts

    Re: Heartbleed issue

    ‏2014-04-15T13:45:26Z  

    Please see https://www-304.ibm.com/support/docview.wss?uid=isg3T1020681

  • YannickBergeron
    YannickBergeron
    35 Posts

    Re: Heartbleed issue

    ‏2014-04-15T14:26:47Z  

    There is the following advisory: https://www-304.ibm.com/support/docview.wss?uid=isg3T1020681

     

    However, please note that I've seen on several website that OpenSSH and SSH keys are not affected... so this advisory is kinda confusing with what I've seen so far.



    I would also like to understand what if you're using a self-compiled (OpenSSH 6.5p1 with openssl 1.0.1f) before Thursday April 10, 2014 updated to OpenSSH 6.6p1 with openssl 1.0.1g on Thursday 10, 2014 would be in scope.

  • yuri
    yuri
    206 Posts

    Re: Heartbleed issue

    ‏2014-04-15T15:53:43Z  

    There is the following advisory: https://www-304.ibm.com/support/docview.wss?uid=isg3T1020681

     

    However, please note that I've seen on several website that OpenSSH and SSH keys are not affected... so this advisory is kinda confusing with what I've seen so far.



    I would also like to understand what if you're using a self-compiled (OpenSSH 6.5p1 with openssl 1.0.1f) before Thursday April 10, 2014 updated to OpenSSH 6.6p1 with openssl 1.0.1g on Thursday 10, 2014 would be in scope.

    GPFS can be affected directly by the Heartbleed vulnerability if GPFS is configured to do connection authentication (cipherList is set).  As explained in the official advisory, it would be prudent to regenerate GPFS cluster keys after upgrading OpenSSL.  GPFS can also use ssh, and of course OpenSSH uses OpenSSL, but there's nothing specific to GPFS in that area; whether OpenSSH keys needs to be regenerated is for OpenSSH folks to prescribe.

    yuri

  • YannickBergeron
    YannickBergeron
    35 Posts

    Re: Heartbleed issue

    ‏2014-04-15T17:37:03Z  
    • yuri
    • ‏2014-04-15T15:53:43Z

    GPFS can be affected directly by the Heartbleed vulnerability if GPFS is configured to do connection authentication (cipherList is set).  As explained in the official advisory, it would be prudent to regenerate GPFS cluster keys after upgrading OpenSSL.  GPFS can also use ssh, and of course OpenSSH uses OpenSSL, but there's nothing specific to GPFS in that area; whether OpenSSH keys needs to be regenerated is for OpenSSH folks to prescribe.

    yuri

    So if the output of "mmauth show all" if similar to this one, GPFS is not considered affected by the heartbleed vulnerability, right?

    # mmauth show all
    Cluster name:        my.cluster.name.com (this cluster)
    Cipher list:         (none specified)
    SHA digest:          (undefined)
    File system access:  (all rw)

  • yuri
    yuri
    206 Posts

    Re: Heartbleed issue

    ‏2014-04-15T17:41:09Z  

    So if the output of "mmauth show all" if similar to this one, GPFS is not considered affected by the heartbleed vulnerability, right?

    # mmauth show all
    Cluster name:        my.cluster.name.com (this cluster)
    Cipher list:         (none specified)
    SHA digest:          (undefined)
    File system access:  (all rw)

    Correct.  You don't have cipher list set (this can also be checked via mmlsconfig, looks for cipherList), and thus are not affected.

    yuri

  • oester
    oester
    107 Posts

    Re: Heartbleed issue

    ‏2014-04-15T17:46:33Z  
    • yuri
    • ‏2014-04-15T17:41:09Z

    Correct.  You don't have cipher list set (this can also be checked via mmlsconfig, looks for cipherList), and thus are not affected.

    yuri

    If you are using openssl version prior to 1.0.1, then you are NOT impacted, correct?

    [root ~]# rpm -qa | grep openssl
    openssl-1.0.0-25.el6_3.1.x86_64

     

    Because OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable to the Heartbleed Bug

    Updated on 2014-04-15T17:47:34Z at 2014-04-15T17:47:34Z by oester
  • yuri
    yuri
    206 Posts

    Re: Heartbleed issue

    ‏2014-04-15T18:09:14Z  
    • oester
    • ‏2014-04-15T17:46:33Z

    If you are using openssl version prior to 1.0.1, then you are NOT impacted, correct?

    [root ~]# rpm -qa | grep openssl
    openssl-1.0.0-25.el6_3.1.x86_64

     

    Because OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable to the Heartbleed Bug

    That question should really be directed at the vendor who supplied the OpenSSL packages, in this case RedHat.  The version string per se is not always meaningful, because Linux distro vendors sometimes pull in upstream patches.  My reading of the RHEL advisory (https://access.redhat.com/site/solutions/781793) suggests that openssl-1.0.0-25.el6_3.1 should not be affected, but you really want to double-check with RH to be positive.

    yuri

  • yuri
    yuri
    206 Posts

    Re: Heartbleed issue

    ‏2014-04-22T22:39:44Z  

    There is the following advisory: https://www-304.ibm.com/support/docview.wss?uid=isg3T1020681

     

    However, please note that I've seen on several website that OpenSSH and SSH keys are not affected... so this advisory is kinda confusing with what I've seen so far.



    I would also like to understand what if you're using a self-compiled (OpenSSH 6.5p1 with openssl 1.0.1f) before Thursday April 10, 2014 updated to OpenSSH 6.6p1 with openssl 1.0.1g on Thursday 10, 2014 would be in scope.

    There has been some unfortunate churn in the Heartbleed-related advisories issued for GPFS... our sincere apologies.  Long story short, the latest update (from today, Apr 22 2014) attempts to set the story straight.  While GPFS for Linux and AIX does not ship OpenSSL, and no GPFS code update per se is needed, GPFS can be configured to use OpenSSL, and in that case sensitive information leakage is possible, and some action (described in the advisory) to regenerate potentially exposed keys would be prudent.

    yuri

  • mduff
    mduff
    35 Posts

    Re: Heartbleed issue

    ‏2014-04-23T00:54:08Z  

    Thank you Yuri.

    The link above does not work any more.

    Here is the active link:  https://www-304.ibm.com/support/docview.wss?uid=isg3T1020713