CloudBlue Technical Support

Information

The OpenSSL group has issued a vulnerability alert on April 7, 2014. You can find more information about CVE-2014-0160 at the Open SSL website and at http://heartbleed.com/.

Parallels Automation systems may be affected by this vulnerability. Here is the list of the potentially vulnerable components of Parallels Automation:

• PBA 5.4 servers deployed on RHEL/CentOS 6
• All PBA 5.5 Linux servers
• POA servers deployed on RHEL/CentOS/CloudLinux 6

This affects almost all services (especially Apache-based) in a system which depend on OpenSSL and those systems created using RedHat, CentOS, CloudLinux 6.5 (vulnerable OpenSSL 1.0.1e-16.el6_5.4, fixed in OpenSSL 1.0.1e-16.el6_5.7)

The package version for Redhat/CentOS can be checked using the command:

~# rpm -q openssl

OpenSSL 0.97a and 0.98e (in RedHat/CentOS 5) are not vulnerable. According to RHSA-2014-0376, only Redhat 6.5 has a vulnerable version of OpenSSL.

Resolution

To secure your Parallels Automation installation:

1. Update OpenSSL on Online Store, PBA Application, and PBA Database servers that deployed on RHEL/CentOS 6
2. Update OpenSSL on all POA servers that deployed on RHEL/CentOS 6
3. Restart POA UI and POA back-end services if Branding node was updated
4. Manage certificate revocation/reissue/replacement process for Store and Branded domains

To update RHEL 6 servers refer to instructions from the Red Hat advisory: https://rhn.redhat.com/errata/RHSA-2014-0376.html.

To update CentOS 6 servers use the instructions from the vendor blog: http://www.centosblog.com/critical-openssl-vulnerability-heartbleed-openssl-1-0-1-1-0-1f-patch-bug-centos-system.

To update physical or virtual servers running on Parallels virtualization products please use the instructions provided in https://kb.parallels.com/en/120989.

Invoke the following command on POA UI and MN nodes in order to restart POA UI:

~# service pemui restart

Invoke the following command on POA MN node in order to restart POA backend services:

~# service pem restart

Invoke the following command on PBA-E application server in order to restart PBA backend services:

~# service pba restart

Invoke the following command on PBA-E online store server in order to restart PBA backend services:

~# service httpd restart

Password Changes

It is highly recommended to change passwords for administrative staff after update is finished.

SSL Certificate Revocations

We encourage all Parallels Automation customers to revoke and reissue SSL certificates for at least the Online Store and all Branded domains. The procedure of revocation and reinstallation of SSL certificates is out of the scope of this document.

Additional Checks

After updating, please additionally check all public HTTPS endpoints of Parallels Automation using SSLLabs service: https://www.ssllabs.com/ssltest/.

The output of the test should include a row similar to this: This server is not vulnerable to the Heartbleed attack. (Experimental)

See also

• KB #121016 - summary article for all Parallels products

Internal content