ESA-20: OpenSSL CCS Injection Vulnerability Affects Load Balancing and Imaging Service EMIs
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-20
Issue Date: 2014-06-06
Last Updated: 2014-06-06
Severity Level: Important
Affected Versions: Eucalyptus 3.4.2 and Eucalyptus 4.0.0
CVE Number: CVE-2014-0224
====================================================================
OVERVIEW
------------
The CCS injection vulnerability affecting all versions of OpenSSL allows for a man-in-the-middle attack against SSL/TLS connections. This vulnerability affects EMIs provided as a part of the Eucalyptus Imaging and Load Balancing services. The 4.0.0 eucalyptus-load-balancer-image package v1.1.0, 4.0.0 eucalyptus-imaging-worker-image v1.0.1, and 3.4.2 eucalyptus-load-balancer-image package v1.0.6 with the fixed OpenSSL packages are now available. We recommend updating all affected EMIs and instances launched from them as soon as possible.
DESCRIPTION
-------------
The CCS injection vulnerability has been announced in the OpenSSL library:
https://www.openssl.org/news/secadv_20140605.txt
This vulnerability allows for a man-in-the-middle attack against SSL/TLS connections in which data exchanged over the encrypted channel can be decrypted by an unauthorized party. The vulnerability can only be exploited if both server *and* client are vulnerable to the issue:
https://access.redhat.com/site/articles/904433?sc_cid=70160000000dOVdAAM
The following EMIs are affected:
- Any Load Balancer 4.0.0 EMI built from the eucalyptus-load-balancer-image package v1.0.5-0.206 is directly affected and should be updated as soon as possible
- Any Imaging Worker 4.0.0 EMI built from the eucalyptus-imaging-worker-image v1.0.0-0.174 is not directly affected but contain a vulnerable version of OpenSSL
- Any Load Balancer 3.4.0 EMI built from the eucalyptus-load-balancer-image package v1.0.4-0.164 and prior is not directly affected but contains a potentially vulnerable version of OpenSSL.
SOLUTION
-------------
The 4.0.0 eucalyptus-load-balancer-image package v1.1.0, 4.0.0 eucalyptus-imaging-worker-image v1.0.1, and 3.4.2 eucalyptus-load-balancer-image package v1.0.6 with the fixed OpenSSL packages are now available.
Install new Imaging Worker and Load Balancer EMIs using updated packages available at:
http://downloads.eucalyptus.com/
Instructions for installing the Load Balancer EMI can be found at:
-
https://www.eucalyptus.com/docs/eucalyptus/4.0/index.html#install-guide/configure_load_balancer.html
-
https://www.eucalyptus.com/docs/eucalyptus/3.4/index.html#install-guide/configure_load_balancer.html
Instructions for installing the Imaging Worker EMI can be found at:
-
https://www.eucalyptus.com/docs/eucalyptus/4.0/index.html#install-guide/configure_imaging_service.html
Instances running from the affected Load Balancer 4.0.0 EMI should be terminated or updated to the latest OpenSSL packages.
WORKAROUND
-------------
Instances running from the affected EMIs can be update to the latest OpenSSL packages:
# yum update openssl
CONTACT and HELP
-------------
Contact the Eucalyptus Security Team at
secu...@eucalyptus.com.