Information

The OpenSSL group has issued a vulnerability alert on April 7, 2014. You can find more information about CVE-2014-0160 at the OpenSSL website and at http://heartbleed.com/.

The Parallels Business Automation - Standard (PBA-S) installations deployed on CentOS 6, 64-bit system are potentially vulnerable.

Resolution

  1. Update OpenSSL package on PBA-S node:

    ~# yum clean all
    ~# yum update "openssl*"

  2. Restart PBA-S and Apache services:

    ~# /etc/init.d/hspcd restart
    ~# /etc/init.d/httpd restart

Password Changes

It is highly recommended to change passwords for administrative staff after update is finished.

SSL Certificate Revocations

We encourage all PBAS customers to revoke and reissue SSL certificates for at least Store and CP domains. The procedure of revocation and reinstallation of SSL certificates is out of the scope of this document.

Additional Checks

After updating, please additionally check all public HTTPS endpoints of PBAS using the SSLLabs service: https://www.ssllabs.com/ssltest/.

The output of the test should include a row similar to this:

This server is not vulnerable to the Heartbleed attack. (Experimental)

See also

KB #121016 - summary article for all Parallels products

KB #113391 - Plesk Mass Password Reset Script

Internal content