Part of our Fanatical Support promise is to ensure the security and health of your systems. It is of the utmost importance to us. So when the entire Linux Community, including Rackspace, was notified yesterday of the “Heartbleed” vulnerability within OpenSSL (CVE-2014-0160), the encryption software found in many Linux systems, we began plans to proactively patch your affected servers where we could.
Check out how we used expertise at scale to help our customers through Heartbleed.
We are working to patch systems for all customers whose servers we have access to, unless they’ve specifically noted that they do not want us to patch their systems. We cannot patch servers for core cloud customers or managed colocation customers, and recommend you check out this page for additional information and patching instructions: https://community.rackspace.com/general/f/34/t/3596
Our proactive patching is happening in an opt-out model based on each specific service offering. Customers will be contacted based on your specific products (if you utilize five different Rackspace services, you may receive a note about how we’re updating and patching each service). And for Rackspace customers who are on Rackspace infrastructure, we have updated our infrastructure to close off the vulnerability.
Systems with the Heartbleed vulnerability may allow an attacker to read chunks of memory from a remote system, meaning an attacker could access your servers remotely and pull back sensitive data including, but not limited to, passwords, session tokens, or private keys. No trace of the attack remains on the system after the attacker has taken the data. The attacker can run the attack multiple times and gain access to different data from the server depending on what’s being stored in RAM.
Almost all current Linux distributions are affected by this vulnerability and the largest distributions have released updated packages. Some of the affected distributions include Red Hat Enterprise Linux 6.5, CentOS 6.5, Ubuntu 12.04 (and newer versions), Fedora 18 (and newer versions), and Debian Wheezy (and newer versions).
If you’re running one of these distributions, there are some steps you must take as soon as possible:
- Update your system to the latest available version of OpenSSL using yum, apt-get, or your system’s package manager
- Restart all of your system services that utilize OpenSSL
Some of the most common services that use OpenSSL include:
- Web services (including apache, nginx, lighttpd)
- Mail services (including postfix, sendmail, qmail)
- Database services (including mysql, mariadb, postgres)
There’s no need for a full system reboot. Simply restarting the affected services is sufficient to ensure that those services are using the new OpenSSL packages.
Once your servers are fully patched and critical servers are restarted, there are a few additional actions to take depending on the sensitivity level of your servers. For servers that contain highly sensitive data, such as PII (Personally Identifiable Information) or payment data, we recommend taking these additional steps:
- Generate new keys for your SSL certificates and have those certificate re-issued
- Reset critical passwords in web applications and in the base operating system
As always, we’re here to help. That’s the Rackspace difference (vs. competitors that only offer raw infrastructure). When you sign up with Rackspace, you get the added value of technical experts and Fanatical Support to help make sure you’re protected and your website, app or business remains online. Your support team can verify if your servers have this vulnerability and they can assist you with the necessary updates.
If you have any further questions or concerns, please contact a member of your Fanatical Support team via phone, ticket, or chat from your Cloud Control Panel (https://mycloud.rackspace.com/) or MyRackspace Customer Portal (https://my.rackspace.com).
Tune In To Our Google+ Hangout For More Information
At 1 p.m. CDT Wednesday, April 16 Rackspace will host a live Google+ Hangout “Stop the bleeding: How to patch Heartbleed at scale.” Tune in to learn more about Heartbleed and how Rackspace identified and patched thousands of servers impacted by the Heartbleed OpenSSL vulnerability. We will be joined by several specialist Rackers who determined the severity of the vulnerability, and responded to the issue at a sizable scale. You can register for the Hangout here.