Call for Action: Fix Heartbleed Security Bug (CVE-2014-0160) for CPM Server Instances

This new bug, discovered in OpenSSH, allows stealing the information that should be protected by SSL/TLS encryption. You can tread more at this link: https://www.openssl.org/news/secadv_20140407.txt

CPM Server instance, versions 1.0.0 & 1.0.1 are vulnerable because of this bug.

The fix will be applied to the next CPM software update. If your CPM server is protected by security groups/VPC from outside connections, you may wait with it. Otherwise it is highly recommended to apply the fix.

For instances running v1.0.0, please upgrade to v1.0.1 first.

To fix the issue, follow these instructions:

  • Connect to the CPM instance using an SSH client with your own key pair and the user: “cpmuser.”
  • Type the following commands:If you wish to replace the existing ssl certificates, since the keys could have been acquired by someone using this vulnerability before the fix was applied, please type the following command:
    • sudo apt-mark hold python*
    • sudo apt-get update
    • sudo apt-get -f upgrade
      for this last command, approve the action with a ‘Y’, for any questions about configuration, stay with the default
  • The heartbleed bug can also expose SSL keys, which theoretically means that somene may already have your private key. You may want to delete the key and cetificate:
    sudo rm /opt/n2wsoftware/cert/*
  • After reboot CPM will create new a self-signed certificate and key automatically
  • Reboot the instance:
    sudo reboot