This advisory describes the scope of the following recently-announced OpenSSL vulnerabilities, including Logjam:
- CVE-2015-4000 (Logjam)
Described in the sections below are actions being taken by Joyent, and actions recommended for customers to take:
- We made this advisory public on 18-June-2015.
- This advisory is meant to be used in addition to our 20-March-2015 article regarding previously-announced OpenSSL vulnerabilities.
Upgrading your own OpenSSL version 1.0.1 or 1.0.2
Should customers choose to address the CVEs listed above by upgrading OpenSSL on their own, they are advised to upgrade to either Version 1.0.1o (if currently using 1.0.1) or Version 1.0.2c (if currently using 1.0.2).
Joyent customers can address all of the listed CVEs by reinstalling OpenSSL with the following command:
pkgin -y up && pkgin -y in openssl
The CVEs listed in this advisory have been addressed in the most-currently-released versions of Joyent’s software and package repositories:
- pkgin respository 2014Q4 (openssl-1.0.1o)
- pkgin repository 2015Q1 (openssl-1.0.2c)
- SmartDataCenter (SDC) platform images released after 10-June-2015
For any necessary remedial actions, please check the notices applicable to the Linux distro you are using:
- Debian: https://www.debian.org/security/2015/
- Centos/Red Hat/Fedora: https://rhn.redhat.com/errata
- Ubuntu: http://www.ubuntu.com/usn/
Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the Customer Portal at https://my.joyent.com are not vulnerable.
As recommended in previous articles, Joyent customers who are using third-party operating systems are advised to contact their respective service providers for further information and instructions.
If you have followed the instructions above and further questions arise regarding mitigation of these OpenSSL vulnerabilities (in Joyent products and services): Please contact Joyent Support by submitting a request at the Support portal or by emailing email@example.com.