2014年4月7日,一个漏洞(CVE-2014-0160,也被称为 "Heartbleed")被发布,可能允许攻击者查看服务器内存中的敏感信息,如秘密密钥和密码。鉴于这个问题的严重性,Linode已经采取了必要的措施,以确保我们的客户和他们的信息免受潜在攻击。
我是否易受攻击?
由于Heartbleed已经在野外存在了一年多,服务器可能已经被破坏了一段时间。这个漏洞使系统暴露在攻击者面前,他们可能提取信息而不留下恶意活动的痕迹。
一个工具已经发布,允许管理员测试其系统的脆弱性。如果你的网站有一个SSL证书,请到 漏洞测试页面,输入你的网站URL,然后运行漏洞测试。这个工具的源代码可以在 GitHub.请注意,通过的分数并不意味着你的系统在其他方面没有漏洞。针对旧库编译的软件将需要重新编译。
Linode是否存在漏洞?
该漏洞一经披露,我们的安全团队就完成了对我们所有基础设施的升级,以修补该漏洞。由于该问题的性质,我们正在完成对我们系统的全面审计并重新生成受影响的证书。
保护你的系统
我们鼓励所有Linode客户运行软件更新,并重新编译针对有漏洞的库的软件。目前,我们所有的软件包镜像都已经更新了包含该问题修复的软件包。如果你想了解更多关于修补你的系统和重新颁发SSL证书的信息,请查看我们的指南在Linode图书馆。
评论 (10)
On the VMs, I assume that it is “impossible” for vulnerable tenant to affect his/her neighbor who is patched.
The question is _WAS_ linode infra vulnerable? Is there the chance that passwords have been stolen?
If you were using an older version of openssl (CentOS 5 or even CentOS 6.4 or older) then you were never vulnerable.
What linode servers were vulnerable, and over what time period?
Seems that all of your packages have not been updated, just specific packages for specific releases. If you’re not running one of those specific releases, you either have to upgrade your entire distribution or keep running vulnerable software.
@camper67 That is correct. In fact, this vulnerability cannot even leak data from other processes on the same machine.
Stephen, of course it was. Most of the internet was/is. It was introduced about 2 years ago, so potentially for that duration of time.
Theoretically for most of the internet, including Linode, it is possible some sensitive information was leaked however since the exploit/PoC was only released yesterday (and immediately patched) I think the chance of that is very small.
Hey guys
Can I assume we’ll see an update when the new certificates are deployed and the audit is complete? There’s no point changing passwords until then.
cheers.
J Irving,
Everything is good. You can check the site referenced in the blog post against the Linode URLs and we pass:
http://filippo.io/Heartbleed/#manager.linode.com
http://filippo.io/Heartbleed/#blog.linode.com
http://filippo.io/Heartbleed/#www.linode.com
Ricardo,
I don’t think you’ve answered J Irving’s question. Tests like filippo.io/Heartbleed can tell us whether a vulnerable OpenSSL implementation is present at the time of the test.
However, according to my understanding, the test can’t tell us whether the private key and certificate being used were issued *after* all services were updated to a non-vulnerable version.
For that, we need an explicit statement from Linode.
Cheers,
Matthew
Anyone that continues to see use the same passwords after this terrible event that took years for the hosting community to find out. Is not thinking straight. If you have ever your credit card into an Open SSL encrypted gateway for typed in anything on what he felt was historically safe. you were wrong.
Change your passwords ASAP
Matthew: The private key and certificate being used were created after all services were updated to non-vulnerable versions, and the old certificates have been revoked.