Google, AWS, Rackspace affected by Heartbleed OpenSSL flaw - but Azure escapes

Google, AWS, Rackspace affected by Heartbleed OpenSSL flaw - but Azure escapes

Summary: Microsoft has confirmed Azure Services are pretty much immune to the Heartbleed OpenSSL bug, except for customers running Linux images in its cloud. Google, Amazon, Rackspace, Joyant, and others have clarified which of their services are affected, and which are in the clear.

TOPICS: Security, Cloud

As most cloud infrastructure providers announced fixes to the worrying Heartbleed OpenSSL flaw, Microsoft's Azure cloud has emerged largely unscathed — but customers running Linux images on it may be affected, the company warned.

As of Wednesday, public cloud providers Google, Amazon, Rackspace, Joyant, and CenturyLink had issued updates to inform customers what systems had been patched and what remediation steps needed to be done for components that may be affected by the Heartbleed bug.

For a quick recap, the memory leakage bug means attackers can hit up affected servers to extract passwords, private keys, and session tokens, among other data. 

Late on Wednesday Microsoft also, somewhat belatedly, issued its notification for Azure customers since "many customers are wondering whether this affects Microsoft’s offerings, specifically Microsoft Azure", its Azure blog said yesterday.

According to Microsoft, "most" Microsoft Services, including Microsoft Account and Azure, were not affected by the OpenSSL vulnerability and of course the Windows implementation of SSL/TLS were not impacted.

"Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (aka SChannel), which is not susceptible to the Heartbleed vulnerability," it said.

However, it warned that customers running Linux images in Azure Virtual Machines (which they've been able to do since 2012, when the Heartbleed bug first entered OpenSSL) could very well be vulnerable.

"We recommend that all customers who may be vulnerable follow the guidance from their software distribution provider," Microsoft said, pointing to guidance from US Cert.

Businesses should check the guidance for products, such as Universal Threat Management devices, virtualisation kit, and other tech confirmed to be affected by the bug. For dozens of vendors, it remains unknown whether products are impacted by the flaw or not.

Microsoft's extensible web server IIS was not affected by the bug. However, that doesn't mean companies that run their websites on it won't be affected, largely due to the practice of employing a third-party load balancer — such as Amazon Web Services, which was affected by Heartbleed.

"Even if you were running Microsoft IIS or a version of OpenSSL that wasn't vulnerable, the AWS load balancer could still be exploited to capture your private SSL certificates, and potentially usernames, passwords and session cookies," Ty Miller, CEO of Australian security firm Threat Intelligence, told ZDNet.

Besides Elastic Load Balancing, other services Amazon yesterday confirmed were affected include EC2, OpsWorks, Elastic Beanstalk, and CloudFront.

Google says it has patched Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine while Chrome and Chrome OS were not affected. However, it is preparing a patch for Android 4.1.1, while all other versions of the OS are immune to the bug. It's also preparing a patch for its Search Appliance. 

Google added that is rolled out patches to all instances on Cloud SQL on Wednesday and will continue to do so on Thursday. Also, it advised customers that use Google Compute Engine that they needed to "manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL".

Google said the vulnerability affects all Debian, RHEL, and CentOS instances in Compute Engine that do not have the most updated version of OpenSSL. It's also provided instructions for how to resolve the issue here.

Users of Google's faster HTTP protocol SPDY should also take note: Google has also released a bug fix for mod_spdy, its Apache module that supports the SPDY protocol.

Rackspace has patched its own infrastructure but on Wednesday said it is "working to patch systems for all customers whose servers we have access to, unless they've specifically noted that they do not want us to patch their systems". The company noted it cannot patch servers for core cloud customers or managed colocation customers. It has further advice here

CenturyLink Cloud's major area of concern was the OpenVPN software which connects client devices to its cloud. OpenVPN was affected and didn't on Wednesday have a patched package available. It has since been updated, however customers are advised to read its notification.

Joyent has also listed all pkgsrc repositories since 2012 that are affected and has updates that are ready for customers.

One of the problems with fixing the bug that affects so much of the internet's infrastructure is that it means different things to different groups, depending on whether you're a consumer, a company using an affected product, a cloud provider, or a service provider that runs applications in a cloud affected by the bug.

Yahoo, for example, has advised all Tumblr customers to reset passwords to everything, however security experts have warned it may be best to wait for providers to confirm they've fixed the flaw. 

"If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed," Sophos' Asia Pacific head of technology Paul Ducklin said.

"And it's fair to say that there are a lot more people ready to heartbleed your new password right now than there were a week, a month or a year ago when you set the old password up."

Read more on Heartbleed

Topics: Security, Cloud

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Is there... organization to oversee security audits of important bits of open software? This particular bug has been around for two years.

    If no such organization exists maybe the big players should create one?

    Because I know this isn't the only bag bug out there, humans make mistakes and this is likely not the only one (or even the worst one). Please understand I'm not saying open software is crap, because it isn't, but this kind of bug is a red flag there could be others.

    Time to fund some *expert* security eyeballs...
    • Skipping FOSS to avoid all the hustles

      Time after time FOSS proves unable to walk that "better than proprietary" talk so at some point people need to wake up to smell the reality.
      • By all means, put all your eggs in someone's private basket.

        Are you suggesting that you can buy infalibility? And if so, from whom?
        • Pretty much

          And one of the advantages of UNIX family systems (to include OSX) is that there is usually a lot more information about where the software came from and what's in it (to include versioning in the case of packages derived from open source) than there is with Windows components (or so it seems to me, Windows specialists might have a different opinion). This allows administrators to make more informed decisions about what and what not to use (if you don't trust a particular package, there's nothing to stop you from using a different one). Admittedly, the stock Windows components can be replaced with UNIX toys (I can't live without Cygwin any more on the Windows side, personally).
          John L. Ries
      • Agreed

        Open source is not better or worse than proprietary software. What is the issue here is procedures and audit process. Tester, program manager are missing in this development cycle.
        • I won't go that far

          But auditing and procedures are important no matter what the development model.
          John L. Ries
      • Your comment would mean more, if..

        Proprietary software had any better a record.

        It was just late last year, or early this year, that MS released a security patch for all versions of Windows, from XP to current (8 at the time), that had been in Windows since 2002.

        I tried to find a link, but have you ever tried to google "Windows +security patch"?
      • Because IIS can't get hacked by a big string of Ns.

        I remember Code Red, too. Junk software isn't unique to open-source; but I'll take a bunch of "take the time to write shitty code but at least you can fix it" people over "lock down everything possible, so when the shit gets exposed you're just that much more screwed".
    • Why not this?

      Instead of having the government audit Open Source security software, why not just have the NSA write the software for us? (No this is not a troll but just driving the point home.) Having the government audit Open Source software is as silly as asking the NSA to write crypto for us. I would not trust the government (or the UN). Should there be an Open Source audit group? Like might be a better solution?
      • Governments should be auditing the software they use...

        ...and what their contractors are using, and they should publish their recommendations about security (to include assessments of off the shelf packages) so the rest of us can benefit (after all, we're paying for it), but the intelligence agencies have a conflict of interest, so they shouldn't be the ones doing it (except for their own systems). I the case of the US Government, perhaps there could be a team in the federal CIO's office (which is under OMB) responsible for this.
        John L. Ries
      • re: why not this:

        the NSA and Homeland Security were one of the main contributors of the code for the OpenSSL project. Many of the people involved have stated that most of the code was extremely hard to understand. It was like it was intentionally made to be hard to decipher what it was supposed to do. Draw your own conclusions from that. Here is a link from 2006
  • Hmmm

    I'm a bit of a conspiracy theorist, I must admit... but wouldn't it be something if all of these articles were planted to generate buzz for Open SSL to do the exact thing they're warning us against? Until today, I had no idea Open SSL existed, now myself and several others will surely attempt to get a free SSL certificate - especially one that's now supposedly guaranteed secure. Only one major security flaw that's now been fixed? My golly, sign me up! ...Just saying.
    • Nope

      Nice try, but you're talking about two separate entities. OpenSSL is developed and given away for free - they make no money whenever you buy an SSL certificate. And even the SSL certificate vendors (Comodo, VeriSign, GoDaddy, and others) are *losing* money on this because they need to re-issue (for free) the certificates they had already issued.
    • conspiracy

      "Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (aka SChannel), which is not susceptible to the Heartbleed vulnerability,"
      Customers running Linux images in Azure Virtual Machines (which they've been able to do since 2012, when the Heartbleed bug first entered OpenSSL) could very well be vulnerable. I was just wondering, If Microsoft products are not affected, wouldn't it be funny if somebody found out that Microsoft released this bug to cut down on the competition . Just a thought .....
      • all viruses, malware, security bugs

        Are created specifically to attempt to drive customers in one direction or another... all signs point to yes.
        • *All* is a sweeping statement

          And while it might be lucrative to create viruses just so you can sell AV software, the consequences would be dire if you're caught.
          John L. Ries
          • "...the consequences would be dire if you're caught."

            Oh? Wanna bet? I used to think so, too.

            Given the mindset of the anti-regulators and anti-enforcers in 2-1/2 of the most-major political parties in the US (all Republicans and their Teanut Gallery lapdogs and the bastard half-Democrats known as Neo-Liberals) who are totally beholden and thoroughly subservient to the Economic Royalists and their malignant obsession with their religion--"free marketism", do you really expect any of them to fund an investigation, let alone a prosecution of any such perps or their sponsors?

          • Yes, but...

            ...prosecution isn't the only risk.

            And you should be careful about who you insult. I'm guessing I'm not the only half-Democrat who posts here (though I tend to be conservative where liberal Republicans are liberal and vice versa).
            John L. Ries
          • spixleatedlifeform: I suppose then that, if you're not in one of those

            parties you mentioned, that you must be in the regressive groups, which want to bring socialism/communism back to the world, in order to recreate or emulate such great economies as those of the old USSR and North Korea and Cuba and Venezuela.

            Tell you what: why don't you get the heck out of the U.S. and get on the first plane to one of those countries that more closely fit your idiotic ideology. You're taking up too much space, and breathing the same air as those of us who still believe in what the U.S. constitution and bill of rights have given us. Don't let the door hit you on the way out. Good riddance to all idiots such as you.
  • Google, AWS, Rackspace affected by Heartbleed OpenSSL flaw - but Azure esca

    One of the many times it pays to use Microsoft services and products. I can laugh at my one linux using coworker now and tease him about patching and compiling his apps. Of course we wouldn't let him use linux at work but he talks about using it at home.