19

The Heartbleed OpenSSL vulnerability (http://heartbleed.com/) affects OpenSSL 1.0.1 through 1.0.1f (inclusive)

I use Amazon Elastic Load Balancer to terminate my SSL connections. Is ELB vulnerable?

secretmike
  • 323
  • 2
  • 8
  • I've been trying to get a straight answer to this one myself. [This forum post implies yes](https://forums.aws.amazon.com/thread.jspa?threadID=149690), but it's not from an official source so I'm not sure how far I trust it (except that when in doubt I'd lean toward assuming compromised over secure). – voretaq7 Apr 08 '14 at 01:34
  • Is there any POC code available for exploiting this so we don't have to wait for/trust vendors' responses? – Mark Wagner Apr 08 '14 at 02:49
  • [http://possible.lv/tools/hb/](http://possible.lv/tools/hb/) will check whether heartbeat is enabled, but can't detect the difference between patched and unpatched versions. [http://filippo.io/Heartbleed/](http://filippo.io/Heartbleed/) claims to be a real POC, and it seemed to work for my case, but its server is slammed and the author hasn't posted source. – solublefish Apr 08 '14 at 03:51
  • 1
    filippo.io has now posted a "fork me on github" link on the page - https://github.com/FiloSottile/Heartbleed – Ben Walding Apr 08 '14 at 06:02

1 Answers1

32

Update 09/04/2014 1:00AM EST

Amazon has stated that all Elastic Load Balancers have been updated and are now longer vulnerable. They recommend rotating certs as well.

Update 08/04/2014 2:56PM CST

Amazon has stated that all Elastic Load Balancers except those in US-EAST-1 have been updated, and the vast majority of those in US-EAST-1 have been updated.

Update 08/04/2014 9:58PM PST

Amazon has confirmed that this affects the ELB platform and is currently working to mitigate the exploit. See the link below for the official response.

Yes, It is. most likely. Several people have stated that they've gotten responses from Amazon that ELB is affected by this issue. Frankly most SSL applications are affected by this with the notable exception of Cloudflare who seems to have gotten early warning.

Evidence suggesting as such:

https://forums.aws.amazon.com/thread.jspa?threadID=149690#jive-message-535248

See also:

http://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/

Jacob
  • 9,114
  • 4
  • 44
  • 56