Google, AWS, Rackspace affected by Heartbleed OpenSSL flaw - but Azure escapes

Microsoft has confirmed Azure Services are pretty much immune to the Heartbleed OpenSSL bug, except for customers running Linux images in its cloud. Google, Amazon, Rackspace, Joyant, and others have clarified which of their services are affected, and which are in the clear.
Written by Liam Tung, Contributing Writer

As most cloud infrastructure providers announced fixes to the worrying Heartbleed OpenSSL flaw, Microsoft's Azure cloud has emerged largely unscathed — but customers running Linux images on it may be affected, the company warned.

As of Wednesday, public cloud providers Google, Amazon, Rackspace, Joyant, and CenturyLink had issued updates to inform customers what systems had been patched and what remediation steps needed to be done for components that may be affected by the Heartbleed bug.

For a quick recap, the memory leakage bug means attackers can hit up affected servers to extract passwords, private keys, and session tokens, among other data. 

Late on Wednesday Microsoft also, somewhat belatedly, issued its notification for Azure customers since "many customers are wondering whether this affects Microsoft’s offerings, specifically Microsoft Azure", its Azure blog said yesterday.

According to Microsoft, "most" Microsoft Services, including Microsoft Account and Azure, were not affected by the OpenSSL vulnerability and of course the Windows implementation of SSL/TLS were not impacted.

"Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (aka SChannel), which is not susceptible to the Heartbleed vulnerability," it said.

However, it warned that customers running Linux images in Azure Virtual Machines (which they've been able to do since 2012, when the Heartbleed bug first entered OpenSSL) could very well be vulnerable.

"We recommend that all customers who may be vulnerable follow the guidance from their software distribution provider," Microsoft said, pointing to guidance from US Cert.

Businesses should check the guidance for products, such as Universal Threat Management devices, virtualisation kit, and other tech confirmed to be affected by the bug. For dozens of vendors, it remains unknown whether products are impacted by the flaw or not.

Microsoft's extensible web server IIS was not affected by the bug. However, that doesn't mean companies that run their websites on it won't be affected, largely due to the practice of employing a third-party load balancer — such as Amazon Web Services, which was affected by Heartbleed.

"Even if you were running Microsoft IIS or a version of OpenSSL that wasn't vulnerable, the AWS load balancer could still be exploited to capture your private SSL certificates, and potentially usernames, passwords and session cookies," Ty Miller, CEO of Australian security firm Threat Intelligence, told ZDNet.

Besides Elastic Load Balancing, other services Amazon yesterday confirmed were affected include EC2, OpsWorks, Elastic Beanstalk, and CloudFront.

Google says it has patched Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine while Chrome and Chrome OS were not affected. However, it is preparing a patch for Android 4.1.1, while all other versions of the OS are immune to the bug. It's also preparing a patch for its Search Appliance. 

Google added that is rolled out patches to all instances on Cloud SQL on Wednesday and will continue to do so on Thursday. Also, it advised customers that use Google Compute Engine that they needed to "manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL".

Google said the vulnerability affects all Debian, RHEL, and CentOS instances in Compute Engine that do not have the most updated version of OpenSSL. It's also provided instructions for how to resolve the issue here.

Users of Google's faster HTTP protocol SPDY should also take note: Google has also released a bug fix for mod_spdy, its Apache module that supports the SPDY protocol.

Rackspace has patched its own infrastructure but on Wednesday said it is "working to patch systems for all customers whose servers we have access to, unless they've specifically noted that they do not want us to patch their systems". The company noted it cannot patch servers for core cloud customers or managed colocation customers. It has further advice here

CenturyLink Cloud's major area of concern was the OpenVPN software which connects client devices to its cloud. OpenVPN was affected and didn't on Wednesday have a patched package available. It has since been updated, however customers are advised to read its notification.

Joyent has also listed all pkgsrc repositories since 2012 that are affected and has updates that are ready for customers.

One of the problems with fixing the bug that affects so much of the internet's infrastructure is that it means different things to different groups, depending on whether you're a consumer, a company using an affected product, a cloud provider, or a service provider that runs applications in a cloud affected by the bug.

Yahoo, for example, has advised all Tumblr customers to reset passwords to everything, however security experts have warned it may be best to wait for providers to confirm they've fixed the flaw. 

"If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed," Sophos' Asia Pacific head of technology Paul Ducklin said.

"And it's fair to say that there are a lot more people ready to heartbleed your new password right now than there were a week, a month or a year ago when you set the old password up."

Read more on Heartbleed

Editorial standards