You are here: Home / Blogs / OpenSSL/Heartbleed vulnerability on BastionLinux

OpenSSL/Heartbleed vulnerability on BastionLinux

by Alan Milligan — last modified Apr 10, 2014 10:25 AM
Filed Under:

BastionLinux is not affected by the OpenSSL/Heartbleed vulnerability - but bitcoiners beware!

BastionLinux/x86_64 uses OpenSSL 1.0.0d, with strong crypto and a bunch of elliptic curves enabled so we can support bitcoin.  This version of OpenSSL is not affected by the recently published vulnerability.  If you're running any of our AMI images out of AWS/Marketplace (Zenoss, Chef, Plone), then the Apache/SSL is perfectly secure.

However, this vulnerability is present in our Raspberry Pi/ARM image and if you've downloaded it we strongly recommend that you upgrade to our openssl-1.0.1g release if you've actually got your RPi internet-facing and running Apache/SSL.

Something not so well publicised is that if you are running bitcoind from Bitcoin Foundation and have exposed the RPC service to the internet (or otherwise untrusted IP's), then (i) hopefully you have set up the X509/PKI features; (ii) it is highly likely that this service is also vulnerable to Heartbleed.

Bitcoin on our image is affected and we strongly recommend that you upgrade openssl and restart your bitcoind.  On BastionLinux/RPi, open the terminal and do the following commands:

$ sudo yum update
$ sudo monit restart bitcoin

 

Whatsmore, applications such as PyQt4 which provide the basis of the bitcoin/client GUI, and BitcoinArmory also use potentially vulnerable OpenSSL on any Linux distro.  I am not sure exactly how feasible it is to use this exploit to compromise an online wallet, but there is certainly plenty of incentive to make such an attempt.  I would strongly advise taking your wallet offline until you've upgraded your OpenSSL.

 

 

 

Filed under: ,
Tag Cloud
Weblog Authors

Alan Milligan

Alan Milligan

Alan Milligan

Location: Sydney, Australia
Alan Milligan
Alan is the principal technical architect of Last Bastion Network solutions in Australia. Alan's background is in application development with a number of global titans of retail and investment banking. Alan also has a history of CIO roles for a number of start ups where he delivers business value with open source solutions. Talk to Alan about how you can deliver critical infrastructure while mitigating risk and managing your existing vendor relationships.