Heartbleed Security Bug: Update for Puppet Users
78 views
Skip to first unread message
Eric Sorenson
Apr 9, 2014, 2:03:37 AM4/9/14
to puppet...@googlegroups.com
As you probably know, the OpenSSL project recently announced a serious security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160[1]), currently referred to as "Heartbleed"[2]. This vulnerability allows unauthorized users access to private data such as encrypted traffic and the secret keys used to identify servers.
The security of Puppet infrastructure depends on OpenSSL being secure, so there are steps you must take to ensure your Puppet infrastructure is secure.
Puppet Labs has not shipped a vulnerable version of OpenSSL in Puppet or Puppet Enterprise. In many cases, however, Puppet and Puppet Enterprise rely on versions of OpenSSL shipped as part of an operating system.
**Many organizations will need to regenerate their Puppet-related Certificate Authority and all Puppet-related SSL certificates in their public key infrastructure.** You may also need to update OpenSSL as vendors release updates to address this vulnerability.
We have released step-by-step documentation for remediating the vulnerability on our docs site. You can find direct links to the relevant docs in this blog post:
Heartbleed Security Bug: Update for Puppet Users
http://puppetlabs.com/blog/heartbleed-security-bug-update-puppet-users
We encourage you to review the remediation actions as soon as possible. Of course, we’ll continue to stay on top of developments, and update you here on the mailing list.
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
[2] http://heartbleed.com
Thanks, and sorry if your day has been as tough as ours.
--eric0
Eric Sorenson - eric.s...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles
The security of Puppet infrastructure depends on OpenSSL being secure, so there are steps you must take to ensure your Puppet infrastructure is secure.
Puppet Labs has not shipped a vulnerable version of OpenSSL in Puppet or Puppet Enterprise. In many cases, however, Puppet and Puppet Enterprise rely on versions of OpenSSL shipped as part of an operating system.
**Many organizations will need to regenerate their Puppet-related Certificate Authority and all Puppet-related SSL certificates in their public key infrastructure.** You may also need to update OpenSSL as vendors release updates to address this vulnerability.
We have released step-by-step documentation for remediating the vulnerability on our docs site. You can find direct links to the relevant docs in this blog post:
Heartbleed Security Bug: Update for Puppet Users
http://puppetlabs.com/blog/heartbleed-security-bug-update-puppet-users
We encourage you to review the remediation actions as soon as possible. Of course, we’ll continue to stay on top of developments, and update you here on the mailing list.
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
[2] http://heartbleed.com
Thanks, and sorry if your day has been as tough as ours.
--eric0
Eric Sorenson - eric.s...@puppetlabs.com - freenode #puppet: eric0
puppet platform // coffee // techno // bicycles
Reply all
Reply to author
Forward
0 new messages