Heartbleed Advisory - Eucalyptus Starter Images Update


Eucalyptus Versions: All

Heartbleed Advisory - Updates to Eucalyptus Starter Images

Recently, Eucalyptus issued an advisory [1] about the Heartbleed bug [2].  This knowledge base article provides more details as to the fixes applied to the Eucalyptus Starter Images, as a follow-up to a more recent knowledge base article [3]. The following Eucalyptus Starter Images in the Eustore Catalog were affected:

  • fedora x86_64  starter kvm Fedora 18 1.7GB root - Hypervisor-Specific Kernel, 3.9.6-200.fc18 kernel version; cloud-init enabled, ec2-user enabled, sudo rights; SELinux Enabled; euca2ools 2.1.3 installed
  • fedora x86_64 starter kvm Fedora 20 2GB root, Hypervisor-Specific Kernel; cloud-init enabled, fedora user enabled, sudo rights; SELinux Enabled
  • debian x86_64 starter kvm Debian 7 1.7GB root - Hypervisor-Specific Kernel, 3.9-1-amd64 kernel version; cloud-init enabled, ec2-user enabled, sudo rights; Apparmor enabled; euca2ools 2.1.3 installed
  • opensuse x86_64 starter kvm OpenSUSE 12.2 x86_64 - KVM image. SUSE Firewall off. Root disk of 2.5G. Root user enabled. Working with kexec kernel and ramdisk. OpenSUSE minimal base package set..

Other images in the Eustore catalog and presented on the Eucalyptus Machine Images page were not affected, per the possible affected operating systems listed by the Heartbleed advisory:

  • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
  • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
  • CentOS 6.5, OpenSSL 1.0.1e-15
  • Fedora 18, OpenSSL 1.0.1e-4
  • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)

The versions of OpenSSL affected are as follows:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

As mentioned in the Heartbleed Advisory page regarding the bug:

"Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug."

Starter Image OpenSSL Versions

Due to this advisory, the starter images mentioned above had their OpenSSL versions updated.  Their perspective OpenSSL versions are as follows:

  • Fedora 18 - openssl.x86_64 1:1.0.1e-37.fc18
  • Fedora 20 - openssl.x86_64 1:1.0.1e-37.fc20.1
  • Debian 7 - openssl 1.0.1g-2
  • OpenSUSE 12.2 - openssl 1.0.1e-2.25.1

If these images do not reflect these versions, please contact the Eucalyptus Security Team.


[1] ESA-17: The HeartBleed Bug Affects EuStore EMIs
[2] The Heartbleed Bug
[3] Eucalyptus Knowledge Base Article - The Heartbleed Security Advisory



Have more questions? Submit a request


Powered by Zendesk