Thursday, April 10, 2014

Notice for CIOS 6.x and 7.x Users Concerned about Heartbleed

Notice for CIOS 6.x and 7.x Users Concerned about Heartbleed

People everywhere are talking about the new heartbleed vulnerability discovered in OpenSSL see heartbleed.com for more details on the vulnerability.  Essentially, this vulnerability exploits a defect in the SSL heartbeat protocol which allows attackers to obtain sensitive information from your server including the private key your server uses to establish secure HTTP connections.  Once an attacker has your private key communication with that server can be decrypted and your sensitive data can be accessed.  You may be wondering if CIOS affected by this vulnerability.  The short answer is that if you are running CIOS 6.x you are not affected, however, if you are running CIOS 7.x you are affected by the heartbleed vulnerability.  IBM is working on a patch for CIOS 7.x see this link for more details.

How Do I know what version of CIOS I am running?

To determine which version of CIOS you are running login to the CLI via SSH and type the command system show version.  You may also login to the WMC and go to the system tab.

I'm running CIOS 7.x, What Risks am I exposed to?

If nothing else the Web Management Console uses SSL, so theoretically an attacker could gain access to the WMC and take down your appliance.  Most users do not expose the WMC to the internet so the risk is only within your own network.  If you use the HTTP Receive or Provide Web Service Activities with SSL Enabled you are also vulnerable.  Again, most customers do not expose web services to the internet so your exposure is limited by which networks have access to your services.

I'm running CIOS 7.x, what do I do next?

IBM is working on a patch, if you are running CIOS 7.x you should apply the patch as soon as it becomes available.  Contact IBM Support for more details.  Once you have applied the patch you should also generate a new certificate for your appliance in case your system has already been compromised.  Once an attacker has your private key the only way to secure your connections again is to create a new key (generate an new certificate).  See the Security Section of the Cast Iron Online Help for further details.