[Instructions found herein are based upon the work of multiple other folks in this thread in the Isilon Support Forum.]
By now, you’re likely aware of the “Heartbleed” security vulnerability in the OpenSSL cryptography library. If you have an Isilon cluster, you might be wondering if it’s affected. The good news is that all versions of OneFS are Heartbleed-free.
However, if you’re also running the InsightIQ monitoring software, it might be vulnerable, depending on the version. Here’s what you need to know to find out if your cluster is affected — and what to do about it if it is.
Checking for the Vulnerability
The Heartbleed bug is found in OpenSSL version 1.0.2-beta and all versions of 1.0.1 prior to 1.0.1g built before 7 April, so the first thing to do is determine what version of OpenSSL is running on your InsightIQ appliance.
Login to the appliance. You can do this either by going to the console through vCenter or by SSH’ing into the VM. Once you’re logged in, type the command:
openssl version -a
You’ll see output that looks something like:
OpenSSL 1.0.1e-16.el6_5.7 11 Feb 2013
built on: Tue Apr 8 02:39:29 UTC 2014
The version number might make us think it’s vulnerable, but since we see a “built on” date later than 7 April, we know it’s a safe version.
If the output had looked like:
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Sun Apr 6 11:14:45 UTC 2014
In this case, we can see by the version and build date that this indicates a vulnerable OpenSSL library.
Updating OpenSSL
If you’re running a vulnerable version (or just would feel better running a known fixed safe version), use the package manager to check for a new version by typing:
sudo yum list openssl
You should see something like:
Installed Packages
openssl.x86_64 1.0.1e-fips
Available Packages
openssl.i686 1.0.1e-16.el6_5.7 updates
openssl.x86_64 1.0.1e-16.el6_5.7 updates
Since we can see an update available, we can upgrade the OpenSSL package by typing the command:
sudo yum update openssl
After you perform the update, you’ll need to restart InsightIQ. You can do this by typing the command:
sudo service insightiq restart
InsightIQ will start up using the new, fixed, OpenSSL package and you’ll be Heartbleed-free.
Certificates in use would need to be regenerated as well.
Yes, good catch!
After installing the new SSL library, you’d need to regenerate any certificates being used.