- Zenoss 4.x
- Zenoss 3.x
Recently, a serious vulnerability nicknamed "Heartbleed" has been found in OpenSSL, a popular crypotography library (http://heartbleed.com). The Zenoss product does not use the OpenSSL library internally and is thus not impacted. However, in certain cases, vulnerable versions of OpenSSL may be configured by our customers to secure web traffic between the Zenoss master server and clients accessing the WebUI. This article contains information needed to determine if you are impacted by Heartbleed, and instructions for addressing it.
To quickly determine if steps from the KB(s) have been implemented, go to the WebUI, and examine the URL:
- If the URL starts with http://, you are NOT using SSL for WebUI connections and are not impacted. You can ignore the rest of this article.
- If the URL starts with https://, you ARE using SSL for WebUI connections and might be impacted.
If are using SSL, you can determine if you are running an impacted version of OpenSSL. Login to your Zenoss master host and execute the following command as any user:
$ openssl version
This will return a version output, for example:
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Use the following list to determine if your version is vulnerable:
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
Consulting the list, the example OpenSSL 0.9.8e is NOT vulnerable.
If you are using SSL and a vulnerable version of OpenSSL, you should strongly consider updating your OpenSSL package. Check with your OS vendor on how to update OpenSSL.
You should then revoke/reissue your private and public keys. Consult your certificate authority (CA) for the appropriate procedure. Refer to the appropriate KB to determine how to replace your SSL keys on your Zenoss host:
If you are using a self signed certificate, repeat the procedure outlined in: