OpenSSL CVE-2014-0160 Heartbleed bug and Red Hat Enterprise Virtualization (RHEV)

Solution Verified - Updated -

Environment

Issue

  • Does CVE-2014-0160 affect Red Hat Enterprise Virtualization?
  • Need fix for openssl heartbleed bug in RHEV

Resolution

  • Red Hat is not aware of any public exploit being used in the wild for this issue prior to the date of disclosure. However, a number of public exploits were published shortly after the issue was disclosed. These exploits could lead to the disclosure of information handled by applications using OpenSSL, including private keys, session tokens, and data submitted by users, which could include authentication credentials. It is recommended that you assess the risk this could pose to your systems, and perform additional remediation as you deem appropriate. (For more details on additional remediation steps, refer to: How to recover from the Heartbleed OpenSSL vulnerability.)

Warning: DO NOT START/STOP THE STORAGE, HOST/HYPERVISOR OR ANY GUEST VM WHEN RHEV-M IS UNDER MAINTENANCE

RHEV-H

  1. Is the RHEV-H in question affected?

    • The issue was fixed in rhev-hypervisor6-6.5-20140407.0.el6ev (RHSA-2014:0378)

    • All versions of rhev-hypervisor6-6.5 prior to rhev-hypervisor6-6.5-20140407.0.el6ev are affected

    • The current version of the RHEV Hypervisor can be checked from within the RHEV Manager

      • Click on the Hosts tab, then choose the hypervisor
        In the host details section will be found:

        OS Version: RHEV Hypervisor - 6.5 - <VERSION WILL BE HERE>

    • The version can also be checked manually from the RHEV-H command-line

      # cat /etc/redhat-release 
Red Hat Enterprise Virtualization Hypervisor release 6.5 (20140112.0.el6)

  2. Before planning an upgrade, make sure that the cluster in question has more than one hypervisor (to allow for VM migration)

  3. Refer to the Hypervisor Deployment Guide for instructions on how to upgrade a hypervisor

RHEL Hosts/Hypervisors

  1. Is the RHEL host in question affected?

    • Any system reportedly running Red Hat Enterprise Linux 6.5 is almost certainly affected

    • More specifically, any RHEL6 system with an openssl package version from openssl-1.0.1e-15.el6 through openssl-1.0.1e-16.el6_5.4 is affected

      • Can check installed version with:

        rpm -q openssl

  2. Select the hypervisor in question from the Hosts tab in the RHEV-M Admin Portal and click "Maintenance"
    Wait for the status to say "Maintenance" before proceeding

  3. Update the openssl package to openssl-1.0.1e-16.el6_5.7 (RHSA-2014:0376) or later, which corrects this issue

    • As always, registered systems with internet access (or systems connected to Satellites, etc) can be updated via yum

      yum update openssl

    • Otherwise, use a connected system to download the openssl package and then transfer said rpm package to the RHEL host in question and install it manually

  4. After successfully updating the openssl package, reboot the RHEL host

  5. Select the hypervisor in question from the Hosts tab in the RHEV-M Admin Portal and click "Activate"
    Wait for the status to say "Up" before proceeding

RHEV-M

  1. Is the RHEV-M in question affected?

    • RHEV-M running on Red Hat Enterprise Linux 6.5 is almost certainly affected

    • More specifically, any RHEL6 system with an openssl package version from openssl-1.0.1e-15.el6 through openssl-1.0.1e-16.el6_5.4 is affected

      • Can check installed version with:

        rpm -q openssl

  2. Make sure there are no running tasks by clicking the Tasks subtab in bottom right of RHEV-M GUI

  3. From a shell, stop the three main services for RHEV-M

    # service ovirt-engine-dwhd stop    (ONLY if reports dwh is configured and running)
# service ovirt-engine stop
# service postgresql stop

  4. Update the openssl package to openssl-1.0.1e-16.el6_5.7 (RHSA-2014:0376) or later, which corrects this issue

    • As always, registered systems with internet access (or systems connected to Satellites, etc) can be updated via yum

      yum update openssl

    • Otherwise, use a connected system to download the openssl package and then transfer said rpm package to the RHEV-M in question and install it manually

  5. Reboot the RHEV-M

  6. After reboot check that all the above three services are running for RHEV-M to work properly

Root Cause

  • Official statement from Security Advisory RHSA-2014:0378:

    An information disclosure flaw was found in the way OpenSSL handled TLS and
    DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server
    could send a specially crafted TLS or DTLS Heartbeat packet to disclose a
    limited portion of memory per request from a connected client or server.
    Note that the disclosed portions of memory could potentially include
    sensitive information such as private keys. (CVE-2014-0160)

  • For any ongoing developments, monitor the entry for CVE-2014-0160 in Red Hat's CVE Database

Diagnostic Steps

  • Red Hat has provided a tool to help automatically check public sites vulnerability to this vulnerability. This tool is for informational purposes only, but can help you quickly check systems before and after applying the updated packages.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments