You’ve probably heard about the recently discovered OpenSSL vulnerability called the Heartbleed bug. This is a serious vulnerability and we wanted to provide you with information about how the issue affects Bright customers, and what you should do about it.
Most clusters exist behind firewalls, and are not reachable over public networks. However, there is still a potential risk from attackers who are also within the firewall, so it’s important to close any vulnerabilities as soon as possible.
Versions of Bright Cluster Manager up to 6.1 use a version of OpenSSL that is not affected. The initial release of Bright Cluster Manager 7 did make use of the vulnerable OpenSSL library, so we have corrected the problem in an update.
Most Bright clusters are installed along with an Apache web server, and that server is vulnerable to the Heartbleed bug if the OpenSSL package included in the Linux base distribution is vulnerable. By default, Apache is configured to use the same certificate and private key as Bright Cluster Manager, so the vulnerability exposed through the Apache web server could be used to target Bright Cluster Manager as well.
Vulnerable implementations of OpenSSL are included with RHEL 6.5, CentOS 6.5 and Scientific Linux 6.5. If one of these Linux distributions is used, updates should be installed. Bright clusters using other Linux distributions (e.g. RHEL 6.4, SLES11) are not vulnerable.
We recommend that you upgrade the OpenSSL packages that come as part of the Linux base distribution. If you are using Bright Cluster Manager 7, install the latest Bright updates.
A more detailed explanation, and instructions on updating the OpenSSL packages is available in this Bright Knowledge Base article.