Update OpenSSL on Isilon InsightIQ – Avoid the Heartbleed Vulnerability

[Instructions found herein are based upon the work of multiple other folks in this thread in the Isilon Support Forum.]

By now, you’re likely aware of the “Heartbleed” security vulnerability in the OpenSSL cryptography library. If you have an Isilon cluster, you might be wondering if it’s affected. The good news is that all versions of OneFS are Heartbleed-free.

However, if you’re also running the InsightIQ monitoring software, it might be vulnerable, depending on the version. Here’s what you need to know to find out if your cluster is affected — and what to do about it if it is.

Checking for the Vulnerability

The Heartbleed bug is found in OpenSSL version 1.0.2-beta and all versions of 1.0.1 prior to 1.0.1g built before 7 April, so the first thing to do is determine what version of OpenSSL is running on your InsightIQ appliance.

Login to the appliance. You can do this either by going to the console through vCenter or by SSH’ing into the VM. Once you’re logged in, type the command:

openssl version -a

You’ll see output that looks something like:

OpenSSL 1.0.1e-16.el6_5.7 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 2014

The version number might make us think it’s vulnerable, but since we see a “built on” date later than 7 April, we know it’s a safe version.

If the output had looked like:

OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Sun Apr 6 11:14:45 UTC 2014

In this case, we can see by the version and build date that this indicates a vulnerable OpenSSL library.

Updating OpenSSL

If you’re running a vulnerable version (or just would feel better running a known fixed safe version), use the package manager to check for a new version by typing:

sudo yum list openssl

You should see something like:

Installed Packages
openssl.x86_64     1.0.1e-fips
Available Packages
openssl.i686     1.0.1e-16.el6_5.7     updates
openssl.x86_64   1.0.1e-16.el6_5.7     updates

Since we can see an update available, we can upgrade the OpenSSL package by typing the command:

sudo yum update openssl

After you perform the update, you’ll need to restart InsightIQ. You can do this by typing the command:

sudo service insightiq restart

InsightIQ will start up using the new, fixed, OpenSSL package and you’ll be Heartbleed-free.

This entry was posted in Isilon, Security and tagged , , , , , , . Bookmark the permalink.

2 Responses to Update OpenSSL on Isilon InsightIQ – Avoid the Heartbleed Vulnerability

  1. Certificates in use would need to be regenerated as well.

Leave a Reply