Information

The OpenSSL group has issued a vulnerability alert on April 7, 2014. You can find more information about CVE-2014-0160 at the Open SSL website and at http://heartbleed.com/.

For Windows

Parallels Containers for Windows might be installed with Parallels Dispatcher for management of containers by PACI, and few components are compiled with vulnerable OpenSSL version.

For Linux

This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using one of the following distributions:

  • Debian Wheezy (stable) (vulnerable OpenSSL 1.0.1e-2+deb7u4, fixed in OpenSSL 1.0.1e-2+deb7u5)
  • Ubuntu 13.10 (vulnerable OpenSSL 1.0.1e-3ubuntu1.1, fixed in OpenSSL 1.0.1e-3ubuntu1.2)
  • Ubuntu 12.10 (vulnerable OpenSSL 1.0.1c-3ubuntu2.6, fixed in OpenSSL 1.0.1c-3ubuntu2.7)

  • Ubuntu 12.04.4 LTS (vulnerable OpenSSL 1.0.1-4ubuntu5.11, fixed in OpenSSL 1.0.1-4ubuntu5.12)

    The package version for Debian/Ubuntu can be checked using the command:

    ~# dpkg -l openssl
  • RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)
  • Fedora 18 (OpenSSL 1.0.1e-4 without update: Fedora 18 is no longer supported)
  • Fedora 19 (fixed in OpenSSL 1.0.1e-37.fc19.1)
  • Fedora 20 (fixed in OpenSSL 1.0.1e-37.fc20.1)
  • OpenSUSE 12.2 (vulnerable OpenSSL 1.0.1c, fixed in OpenSSL 1.0.1e-1.44.1)

  • OpenSUSE 13.1 (fixed in OpenSSL 1.0.1e-11.32.1)

    The package version for Redhat/CentOS and OpenSUSE can be checked using the command:

    ~# rpm -q openssl

OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only Redhat 6.5 has a vulnerable version of OpenSSL.

Debian Squeeze it not vulnerable, as stated in Debian Security Advisory DSA-2896.

Other supported Ubuntu releases are not vulnerable, as per Ubuntu Security Notice USN-2165-1.

Corresponding security updates for Fedora:

Fixes for OpenSUSE provided in OpenSUSE Security Announcement openSUSE-SU-2014:0492-1.

Resolution

Hardware node update

Operating system vendors have issued fixes, which have been incorporated by all major distributions. You must apply OpenSLL updates by:

  1. Hardware servers with PCS:

    ~# yum clean all; yum update openssl

  2. Hardware servers with PSBM: using vzup2date tool

    • KB #113945 Installing updates on Parallels Server Bare Metal 5 node

  3. Hardware servers with PVC:

    ~# yum clean all; yum update openssl
    • KB #1170 How do I keep a PVC installation up-to-date?

Note: PSBM, PCS and PVC for Windows use SSL for internal communication with Dispatcher only, this significantly decreases risk of compromise but anyway it is highly recommended to apply fixes for SSL as it might be used by some other 3rd party services.

Rebuilt version of Parallels Dispatcher with newer OpenSSL version is available:

  • KB #121002 Parallels Cloud Server 6.0 Update 5 Hotfix 11 (6.0.5-1811)
  • KB #121003 Parallels Server Bare Metal 5.0.0 Update 9 Hotfix 4 (5.0.0-1340)
  • KB #121129 Parallels Virtuozzo Containers for Windows 4.6 and Parallels Virtuozzo Containers for Windows 6.0

PVA Power Panel and PVA MN

Parallels Virtual Automation uses not vulnerable version of OpenSSL, and also it uses system OpenSSL for web-based services via Apache.

PVA Power Panel uses Apache web-server running on the host, update OpenSSL and restart of Apache on the hardware node is needed:

~# service httpd restart

PVA Management Node uses Apache and OpenSSL of the system it is installed into, update the installation according to its type and restart services:

  • in a container:

    ~# vzctl update CTID

  • in a virtual machine or on a physical server:

    ~# yum clean all; yum update

Applying fix to containers

  1. For existing containers:

    ~# vzpkg update CTID

    or a single package specifically:

    ~# vzpkg install CTID -p openssl

  2. Operating system template cache(s) should be recreated:

    ~# vzpkg update cache DISTR-VER-ARCH

After the update is applied all the services relying on OpenSSL should be restarted:

  • Restart SSH server, OpenVPN, Apache.
  • Restart any other services running on the host operating system dependent on OpenSSL.

See also

  • KB #121016 - summary article for all Parallels products

Internal content