There is a bug in certain versions of OpenSSL that may leak confidential information from both the client and the server. This confidential information may include private keys, among other sensitive information.

Additional Resources:

AWS Security Bulletins: https://aws.amazon.com/security/security-bulletins/
Official OpenSSL security advisory: https://www.openssl.org/news/secadv_20140407.txt
Heartbleed Bug: http://heartbleed.com/
Amazon Linux AMI Security Bulletin: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/
Canonical Security Advisory: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-0160.html
Red Hat Security Advisory: https://access.redhat.com/security/cve/CVE-2014-0160/

See the AWS Security Bulletins page for details about impact to services.

Use the following instructions to update the OpenSSL package to the latest supported release that incorporates this patch. Be sure to restart any services that might use the libraries included with the OpenSSL package.This can include Apache, nginx, etc. If in doubt, rebooting the operating system will force all services to use the updated libraries.

Amazon Linux AMI / Red Hat Enterprise Linux / CentOS / Fedora:

  1. Connect to your instance using the associated key pair and user name.
  2. Run the command sudo yum update openssl.
  3. Restart all services that use the openssl package, or reboot the instance.

Ubuntu Linux / Debian:

  1. Connect to your instance using the associated key pair and user name.
  2. Run the command sudo apt-get update.
  3. Run the command sudo apt-get upgrade.
  4. Restart all services that use the openssl package, or reboot the instance.

SuSE Enterprise Linux (SLES):

  • By default, the 0.9.8 branch of OpenSSL is installed on SLES 11 sp3, so it is not affected by this vulnerability.

Use the operating system's built-in package management tools to query the current release.

Amazon Linux AMI:

  1. Connect to your instance using the associated key pair and user name.
  2. Run the command rpm -q openssl.
  3. The version displayed should be either 1.0.1e-37.66amzn1 or 1.0.1e-4.58amz1.
  4. Alternatively, you can run openssl version -a. If the built on: line states Mon Apr 7 23:37:42 UTC 2014, then the installed OpenSSL package has been patched. Please note that although the package is still labeled 1.0.1e, the latest version of the package within the Amazon Linux AMI repository contains a patch to address this issue.

Red Hat Enterprise Linux:

  1. Connect to your instance using the associated key pair and user name.
  2. Run the command rpm -q openssl.
  3. The version displayed should be 1.0.1e-16.el6_5.7 or later.

According to Red Hat, this issue does not affect RHEL 6.4.

Ubuntu Server 12.04 LTS / 13.10:

  1. Connect to your instance using the associated key pair and user name.
  2. Run the command sudo dpkg –s openssl.
  • On Ubuntu Server 12.04 LTS, the version displayed should be 1.0.1-4ubuntu5.12 or later.
  • On Ubuntu Server 12.10, the version displayed should be 1.0.1c-3ubuntu2.7 or later.
  • On Ubuntu Server 13.10, the version displayed should be 1.0.1e-3ubunt1.2 or later.

If you use Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing, Amazon CloudFront, AWS CloudFormation, or AWS Elastic Beanstalk, you should  regenerate your private keys and CSR (certificate signing request), submit the new CSR to your certificate authority, and obtain a replacement SSL certificate. If you need help generating a private key and new CSR, refer to your certificate issuer's documentation or reach out to AWS Support.

Rotate your SSL certificates. See Rotating SSL Certificates in the Amazon CloudFront Developer Guide.

Rotate your SSL certificates. See Update an SSL Certificate for a Load Balancer in the Elastic Load Balancing Developer Guide. You should also consider resetting session cookies and any other sensitive information (for example, passwords) that have been transferred over your encrypted connections.

If you have an RDS PostgreSQL database created before 03:23 am PDT on April 8, 2014, then you should reboot your RDS instance. Otherwise, it will be rebooted on your behalf in your next maintenance window. All new database instances created after 03:23 am PDT on April 8, 2014 already have the fix. Amazon RDS for MySQL, Oracle, and SQL Server instances were not affected by this issue.

All new clusters deployed after 04:15 am PDT on April 8, 2014 already have the fix. Clusters deployed before this time will be patched in the first maintenance window after 04:15 am PDT on April 8, 2014. To apply the patch immediately, you can change your maintenance window settings in the Amazon Redshift console (https://console.aws.amazon.com/redshift/home) to adjust when this occurs.

A fix is required only if the affected OpenSSL package for Windows has been installed on the Windows instance. Amazon-provided Windows AMIs do not have this application installed by default.

If you have installed OpenSSL on your Windows instance, you can check the version by opening Windows PowerShell, typing appwiz.cpl, locating the OpenSSL installation on the list of installed programs, and checking the version listed. If the version is less than 1.0.1g (exclusive of version 1.0.1g, the 1.0.0, and 0.9.8 branches), then upgrading to a newer version of OpenSSL is highly recommended. The Windows binaries can be downloaded here: http://slproweb.com/products/Win32OpenSSL.html. It is also recommended that you check with application vendors for updates if you suspect their applications might use affected versions of OpenSSL.