Information
The OpenSSL group has issued a vulnerability alert on April 7, 2014. You can find more information about CVE-2014-0160 at the OpenSSL website and at http://heartbleed.com/.
The Parallels Business Automation - Standard (PBA-S) installations deployed on CentOS 6, 64-bit
system are potentially vulnerable.
Resolution
Update OpenSSL package on PBA-S node:
~# yum clean all
~# yum update "openssl*"
Restart PBA-S and Apache services:
~# /etc/init.d/hspcd restart
~# /etc/init.d/httpd restart
Password Changes
It is highly recommended to change passwords for administrative staff after update is finished.
SSL Certificate Revocations
We encourage all PBAS customers to revoke and reissue SSL certificates for at least Store and CP domains. The procedure of revocation and reinstallation of SSL certificates is out of the scope of this document.
Additional Checks
After updating, please additionally check all public HTTPS endpoints of PBAS using the SSLLabs service: https://www.ssllabs.com/ssltest/.
The output of the test should include a row similar to this:
This server is not vulnerable to the Heartbleed attack. (Experimental)
See also
KB #121016 - summary article for all Parallels products
KB #113391 - Plesk Mass Password Reset Script