AWS Security Advisory for Amazon EC2

Ozarks Mountain Brewery

Ozarks Mountain Brewery

Moderator
Lifetime Member
Staff member
Established Member
Joined
Nov 20, 2012
Messages
8,604
Reaction score
6,609
Points
113
this came in my email and it seems to be world wide for all servers not just Amazon, I updated my servers today

Dear Amazon EC2 Customer,

The OpenSSL project has recently announced a security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160). Customers that are running Linux and are using SSL could be affected by this issue and should upgrade to a fixed version as soon as possible.

If you’re using the Amazon Linux AMI, you can simply run “sudo yum update openssl”, and then restart any services using OpenSSL to protect any at-risk instances.

Find more details and update instructions from the websites of your Linux vendor of choice:
* Amazon Linux AMI: https://aws.amazon.com/amazon-linux-ami ... -2014-320/
* Red Hat: https://rhn.redhat.com/errata/RHSA-2014-0376.html
* Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/

Please note that several of the prominent Linux operating systems have released fixed packages that still bear the OpenSSL 1.0.1e name. Even though the OpenSSL project released 1.0.1g as their newest software, downstream Linux providers have in some cases elected to include just the fix for CVE-2014-0160 in their packages in order to provide a small update quickly. Updates to 1.0.1g are likely to come later.

For more information about this vulnerability, please visit
* AWS Security Bulletin page: https://aws.amazon.com/security/security-bulletins/
* OpenSSL’s official advisory: https://www.openssl.org/news/secadv_20140407.txt
* The Heartbleed Bug: http://heartbleed.com/

Thank you,

AWS Security

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
Click to expand...
 
Thanks for sharing this here. This vulnerability is going to affect a lot of people and businesses if they don't upgrade soon. I've already seen a pcap from a test at yahoo.com that shows someone's login information. Not only can someone get login information but private keys as well. If you were running a vulnerable version then you should probably regenerate the keys for it as well in-case they have been compromised.

Here's the pcap image:
heartbleed-example.png
 
yes and this website is running or was on amazon servers, and the issue at hand is user account passwords in my book
 
I ran a couple of tests that are out there on the site and they came back that the site isn't vulnerable to the new exploit.
 
You must log in or register to reply here.
Copyright © 2007-2024 Brewer's Friend, Inc. - Send Feedback - Terms - RSS Feed - Do Not Sell or Share My Personal Information

Back
Top